Bug 12517

Summary: ipfw should not log to console when using the 'log' keyword but does (sort of documented)
Product: Base System Reporter: Florian Uhl <ankh>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.2-STABLE   
Hardware: Any   
OS: Any   

Description Florian Uhl 1999-07-05 07:40:01 UTC 
	When using the 'log' keyword for ipfw rules, ipfw logs not only via syslog
	(using !ipfw notation) but to the console as well (this is the documented
	behaviour). On a medium to high traffic machine this generates _a lot_ of
	totally unnecessary messages on the console. None of them is really critical
	or something like that. Anyway, applications should not log to the console at
	all but to syslog alone. If I want some application to log to the console, I
	will tell syslogd to do so.

	From the 'ipfw' man page:

	| If the kernel was compiled with IPFIREWALL_VERBOSE, then when a packet
	| matches a rule with the log keyword a message will be printed on the con-
	| sole.

	From my kernel configuration:

	| [byron: /usr/src/sys/i386/conf] grep FIREWALL BYRON
	| options IPFIREWALL
	| options IPFIREWALL_DEFAULT_TO_ACCEPT

	Nothing about VERBOSE.

	Next paragraph from 'man ipfw':

	| Console logging and the log limit are adjustable dynamically through the
	| sysctl(8) interface.

	This means console logging is the only logging method!?

	From sysctl:

	| [byron: /usr/src/sys/i386/conf] sysctl -a | egrep -v ^ipfw | egrep fw\.
	| net.inet.ip.fw.debug: 0
	| net.inet.ip.fw.one_pass: 1
	| net.inet.ip.fw.verbose: 1
	| net.inet.ip.fw.verbose_limit: 0

	There is nothing about console at all. If I set net.inet.ip.fw.verbose to 0,
	it doesn't log anything. Not what I want, either.

Fix: 

Add sysctl net.inet.ip.fw.logconsole.
How-To-Repeat: 
	ipfw add allow log tcp from any to any
Comment 1 Sheldon Hearn freebsd_committer freebsd_triage 1999-07-05 17:37:37 UTC 
State Changed
From-To: open->feedback

In fact, every single call to ipfw_report() is dependant on  
fw_verbose being true, which is true if the code is compiled with 
IPFIREWALL_VERBOSE defined. Also, the only reporting we do is via the 
ipfw_report() interface, the behaviour of which is not dependant on the 
state of fw_verbose. 

In other words, we seem to do only _one_ kind of logging, and we only do  
it if IPFIREWALL_VERBOSE is _not_ defined at compile-time. 

I'm curious to know what makes you say that ipfw logs via syslog and "to 
the console as well". I realize that the documentation says so, but in   
your experience of the software, do you find this to be true? 

One way to find out for sure whether a message is being sent via syslog  
is to run syslogd -vv (see the manpage for details) having added the  
following line to /etc/syslog.conf: 

*.*                     /var/log/syslog.all 

Obviously, you need to create the file /var/log/syslog.all before you 
kill and restart syslogd with the -v -v options.
Comment 2 Sheldon Hearn freebsd_committer freebsd_triage 1999-07-10 18:15:03 UTC 
State Changed
From-To: feedback->closed

Mail requesting feedback bounces. :-(