Re: [PATCH] ipfw logging through tcpdump ?

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Tue, 15 Dec 2009 10:09:47 +0000 (UTC)
On Tue, 15 Dec 2009, Luigi Rizzo wrote:

Hi,

> The following ipfw patch (which i wrote back in 2001/2002) makes
> ipfw logging possible through tcpdump -- it works by passing to the
> fake device 'ipfw0' all packets matching rules marked 'log' .
> The use is very simple -- to test it just do
>
> 	ipfw add 100 count log ip from any to any
>
> and then
>
> 	tcpdump -ni ipfw0
>
> will show all matching traffic.
>
> I think this is a quite convenient and flexible option, so if there
> are no objections I plan to commit it to head.


pf(4) has pflog(4).   Ideally calling it the same would be good though
I wonder if two of the the three of our firewalls grow that feature,
if we could have a common packet logging device rather than re-doing
it for each implementation.

Frankly,  I haven't looked at the details of the implementation but I
found getting rul numbers with tcpdump -e etc. was pretty cool to
identify where things were blocked or permitted.

Also make sure that the per-VIMAGE interface will work correctly and
as expected.

/bz

-- 
Bjoern A. Zeeb         It will not break if you know what you are doing.
Received on Tue Dec 15 2009 - 09:10:07 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:59 UTC