From ankh@byron.fachschaften.uni-muenchen.de Sun Jul  4 23:37:14 1999
Return-Path: <ankh@byron.fachschaften.uni-muenchen.de>
Received: from byron.fachschaften.uni-muenchen.de (byron.fachschaften.uni-muenchen.de [129.187.163.38])
	by hub.freebsd.org (Postfix) with ESMTP id 835A215297
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  4 Jul 1999 23:37:09 -0700 (PDT)
	(envelope-from ankh@byron.fachschaften.uni-muenchen.de)
Received: (from ankh@localhost)
	by byron.fachschaften.uni-muenchen.de (8.9.3/8.9.3) id IAA99970;
	Mon, 5 Jul 1999 08:37:24 GMT
Message-Id: <199907050837.IAA99970@byron.fachschaften.uni-muenchen.de>
Date: Mon, 5 Jul 1999 08:37:24 GMT
From: Florian Uhl <ankh@byron.fachschaften.uni-muenchen.de>
Reply-To: ankh@byron.fachschaften.uni-muenchen.de
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw should not log to console
X-Send-Pr-Version: 3.2

>Number:         12517
>Category:       kern
>Synopsis:       ipfw should not log to console when using the 'log' keyword but does (sort of documented)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jul  4 23:40:01 PDT 1999
>Closed-Date:    Sat Jul 10 10:15:03 PDT 1999
>Last-Modified:  Sat Jul 10 10:15:59 PDT 1999
>Originator:     Florian Uhl
>Release:        FreeBSD 3.2-STABLE i386
>Organization:
Department of Computer Sciences at University Munich/Germany
>Environment:

	FreeBSD byron 3.2-STABLE FreeBSD 3.2-STABLE #0: Sun Jun 27 17:40:55 GMT 1999

>Description:

	When using the 'log' keyword for ipfw rules, ipfw logs not only via syslog
	(using !ipfw notation) but to the console as well (this is the documented
	behaviour). On a medium to high traffic machine this generates _a lot_ of
	totally unnecessary messages on the console. None of them is really critical
	or something like that. Anyway, applications should not log to the console at
	all but to syslog alone. If I want some application to log to the console, I
	will tell syslogd to do so.

	From the 'ipfw' man page:

	| If the kernel was compiled with IPFIREWALL_VERBOSE, then when a packet
	| matches a rule with the log keyword a message will be printed on the con-
	| sole.

	From my kernel configuration:

	| [byron: /usr/src/sys/i386/conf] grep FIREWALL BYRON
	| options IPFIREWALL
	| options IPFIREWALL_DEFAULT_TO_ACCEPT

	Nothing about VERBOSE.

	Next paragraph from 'man ipfw':

	| Console logging and the log limit are adjustable dynamically through the
	| sysctl(8) interface.

	This means console logging is the only logging method!?

	From sysctl:

	| [byron: /usr/src/sys/i386/conf] sysctl -a | egrep -v ^ipfw | egrep fw\.
	| net.inet.ip.fw.debug: 0
	| net.inet.ip.fw.one_pass: 1
	| net.inet.ip.fw.verbose: 1
	| net.inet.ip.fw.verbose_limit: 0

	There is nothing about console at all. If I set net.inet.ip.fw.verbose to 0,
	it doesn't log anything. Not what I want, either.

>How-To-Repeat:

	ipfw add allow log tcp from any to any

>Fix:
	Add sysctl net.inet.ip.fw.logconsole.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: sheldonh 
State-Changed-When: Mon Jul 5 09:37:37 PDT 1999 
State-Changed-Why:  
In fact, every single call to ipfw_report() is dependant on  
fw_verbose being true, which is true if the code is compiled with 
IPFIREWALL_VERBOSE defined. Also, the only reporting we do is via the 
ipfw_report() interface, the behaviour of which is not dependant on the 
state of fw_verbose. 

In other words, we seem to do only _one_ kind of logging, and we only do  
it if IPFIREWALL_VERBOSE is _not_ defined at compile-time. 

I'm curious to know what makes you say that ipfw logs via syslog and "to 
the console as well". I realize that the documentation says so, but in   
your experience of the software, do you find this to be true? 

One way to find out for sure whether a message is being sent via syslog  
is to run syslogd -vv (see the manpage for details) having added the  
following line to /etc/syslog.conf: 

*.*                     /var/log/syslog.all 

Obviously, you need to create the file /var/log/syslog.all before you 
kill and restart syslogd with the -v -v options. 
State-Changed-From-To: feedback->closed 
State-Changed-By: sheldonh 
State-Changed-When: Sat Jul 10 10:15:03 PDT 1999 
State-Changed-Why:  
Mail requesting feedback bounces. :-( 
>Unformatted:
