ipfw question ....
William A. Mahaffey III
wam at hiwaay.net
Sat Aug 9 14:33:02 UTC 2014
On 08/09/14 09:15, Mike Tancsa wrote:
> On 8/9/2014 10:15 AM, William A. Mahaffey III wrote:
>>
>>
>> Why is there a limit on the # of logged denials by ipfw ?
>
> The limit is there to prevent conditions where syslog would be
> overwhelmed with hits, as in the case for example of a DoS. You can
> change it as discussed in the man pages
>
>
> If net.inet.ip.fw.verbose is set to 1, packets will be logged to
> syslogd(8) with a LOG_SECURITY facility up to a maximum of logamount
> packets. If no logamount is specified, the limit is taken from the
> sysctl variable net.inet.ip.fw.verbose_limit. In both cases, a value
> of 0 means unlimited logging.
>
> Once the limit is reached, logging can be re-enabled by clearing the
> logging counter or the packet counter for that entry, see the resetlog
> command.
>
> ---Mike
>
>
Hmmmm .... OK, sounds good. I would like a bit more granularity on
deciding what to log & what to not log. For example, 99% of the time, I
would drop denials from my LAN, except when I am trying to figure out
why I can't get NFS working, for example. I'd like to be able to choose
that when I (re)start ipfw. I am using the default rc.firewall located
in /etc, BTW. I might like to specify denial-logging by protocol *and*
port #, rather than just port # .... Is there a way to implement any of
this ? Thanks & TIA ....
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
More information about the freebsd-questions
mailing list