On Tue, 15 Dec 2009, Luigi Rizzo wrote: Hi, > The following ipfw patch (which i wrote back in 2001/2002) makes > ipfw logging possible through tcpdump -- it works by passing to the > fake device 'ipfw0' all packets matching rules marked 'log' . > The use is very simple -- to test it just do > > ipfw add 100 count log ip from any to any > > and then > > tcpdump -ni ipfw0 > > will show all matching traffic. > > I think this is a quite convenient and flexible option, so if there > are no objections I plan to commit it to head. pf(4) has pflog(4). Ideally calling it the same would be good though I wonder if two of the the three of our firewalls grow that feature, if we could have a common packet logging device rather than re-doing it for each implementation. Frankly, I haven't looked at the details of the implementation but I found getting rul numbers with tcpdump -e etc. was pretty cool to identify where things were blocked or permitted. Also make sure that the per-VIMAGE interface will work correctly and as expected. /bz -- Bjoern A. Zeeb It will not break if you know what you are doing.Received on Tue Dec 15 2009 - 09:10:07 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:59 UTC