Bug 232956 - Update the ipfw section in the Handbook: kernel options, ipfw0, configuration
Summary: Update the ipfw section in the Handbook: kernel options, ipfw0, configuration
Status: Open
Alias: None
Product: Documentation
Classification: Unclassified
Component: Documentation (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Guangyuan Yang
URL:
Keywords: easy, patch
Depends on:
Blocks:
 
Reported: 2018-11-04 11:59 UTC by f.toscan
Modified: 2018-12-09 15:59 UTC (History)
3 users (show)

See Also:


Attachments
Patch (3.77 KB, patch)
2018-11-04 11:59 UTC, f.toscan
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description f.toscan 2018-11-04 11:59:03 UTC
Created attachment 198938 [details]
Patch

This is my first attempt to update the ipfw section in the Handbook. I've documented some kernel compile options, introduced ipfw0 and sysrc usage.
If the direction is right I can go further with logging and in-kernel nat.
The patch attached was tested and the documentation build was fine.
Comment 1 Guangyuan Yang freebsd_committer 2018-12-01 21:43:35 UTC
(In reply to f.toscan from comment #0)

Thank you for the patch! Could you please upload your patch to Phabricator (reviews.freebsd.org) so it can easily be reviewed by more eyes?
Comment 2 f.toscan 2018-12-05 07:33:21 UTC
Sure I will: can you point me to a document/FreeBSD procedure which describes how to properly use phabricator? I skimmed the FreeBSD's Developers handbook but I found no directions.
Thanks,
f.
Comment 3 Guangyuan Yang freebsd_committer 2018-12-05 22:09:28 UTC
(In reply to f.toscan from comment #2)

There's a pretty comprehensive tutorial on https://wiki.freebsd.org/Phabricator. You could also just use the web interface at reviews.freebsd.org, create an account then a revision (try to upload full diff), and post the link here. Thanks!
Comment 4 f.toscan 2018-12-08 16:00:29 UTC
Here it is:
https://reviews.freebsd.org/D18484
Comment 5 joeb1 2018-12-09 15:59:50 UTC
Now testing 12.0-RC3. IPFW logging records coming from a vnet jail are intermingled with the hosts ipfw log file. This has been a known problem since 9.0. Testing with IPFW firewall running on the gateway host and ipfw running in the vnet jail. Found solution to logging vnet jail records to vnet jail ipfw log file.

Found out about the undocumented ipfw0 log. This works in each vnet jail logging the vnet jails log records to the /var/log/security.log file in the vnet jail.

To enable place the normal ipfw statements in the vnet jails rc.conf with these changes.

firewall_logging="NO"
firewall_logif="YES"
nohup tcpdump -lnti ipfw0 | logger -t jailname -p security.info &

This method should be documented someplace.