ipfw Logging Verbosity

[Tim Daneliuk]

Is there some middle ground between ipfw 'log' options between
silent and garden house.

I have a rule that looks like this:

deny ip from table(10) to any via ${INTERFACE}

Table 10 is biiiig - lots and lots of entries in it.


This results in nothing whatsoever being written to /var/log/security
when a table entry is rejected.

But, if I add the verb "log" to the above command, it writes a
continuous stream of rejected connection attempts matching one
of the table rules - presumably because these many entries are
still trying (which I why I blacklisted them in the first place).

Is there a way to get a more summarized view of the rejections
so that the logging isn't so noisy, but still capture a sense of
what is being stopped?

TIA

[Dewayne Geraghty]

Perhaps
sysctl net.inet.ip.fw.verbose_limit=$Some_lower_number
may assist?

[Michael Sierchio]

Logging what you're blocking is of very little value – you already have them in your block list. But if you insist, write separate rules for different types of traffic.  Specify the protocol in the rule.  Log only RECV not VIA. 

log tcp from table\(10\) to me in recv $WAN setup

log udp from table\(10\) to me in recv $WAN

log icmp from table\(10\) to me in recv $WAN

etc.

Consider sane numbers for logamount.  

I have a rule that does this

pipe 4 log ip from table\(tarpit\) to any in recv  $WAN

where the pipe is very, very small – 1000bit/s – you can make it even smaller.  That's before a rule which drops it.