Created attachment 198938 [details]
This is my first attempt to update the ipfw section in the Handbook. I've documented some kernel compile options, introduced ipfw0 and sysrc usage.
If the direction is right I can go further with logging and in-kernel nat.
The patch attached was tested and the documentation build was fine.
(In reply to f.toscan from comment #0)
Thank you for the patch! Could you please upload your patch to Phabricator (reviews.freebsd.org) so it can easily be reviewed by more eyes?
Sure I will: can you point me to a document/FreeBSD procedure which describes how to properly use phabricator? I skimmed the FreeBSD's Developers handbook but I found no directions.
(In reply to f.toscan from comment #2)
There's a pretty comprehensive tutorial on https://wiki.freebsd.org/Phabricator. You could also just use the web interface at reviews.freebsd.org, create an account then a revision (try to upload full diff), and post the link here. Thanks!
Here it is:
Now testing 12.0-RC3. IPFW logging records coming from a vnet jail are intermingled with the hosts ipfw log file. This has been a known problem since 9.0. Testing with IPFW firewall running on the gateway host and ipfw running in the vnet jail. Found solution to logging vnet jail records to vnet jail ipfw log file.
Found out about the undocumented ipfw0 log. This works in each vnet jail logging the vnet jails log records to the /var/log/security.log file in the vnet jail.
To enable place the normal ipfw statements in the vnet jails rc.conf with these changes.
nohup tcpdump -lnti ipfw0 | logger -t jailname -p security.info &
This method should be documented someplace.