download

Network Configuration—FirewallsDynamic rules have a limited lifetime. The default lifetime for a dynamicrule is 300 seconds, and this can be changed using variables under thenet.inet.ip.fw sysctl subtree.LoggingThere may be times when you have to have a deeper look into your firewall rules,and get more details on what is being matched by a rule. This is possible using theIPFW's built-in logging facility. Logging can be enabled for each rule in a firewallruleset as follows:# add 200 allow log tcp from 192.168.0.0/24 to anyThe above rule tells ipfw to log every matching packet with this rule (hence the logkeyword right after the action keyword, in this case allow) into the LOG_SECURITYfacility of syslogd(8).In order to enable logging feature in IPFW, you should either add theIPFIREWALL_VERBOSE option to kernel or set the net.inet.ip.fw.verbose sysctl variable to 1.Once a packet is matched with a firewall rule with the log keyword, a message willbe logged to syslog. In a normal system configuration, you can find these messagesin the /var/log/security file as shown here:# tail /var/log/securityOct 9 19:43:33 home kernel: ipfw: 60 Accept TCP 192.168.0.5:22192.168.0.222:52195 out via fxp0Oct 9 19:43:33 home kernel: ipfw: 60 Accept TCP 192.168.0.5:22192.168.0.222:52195 out via fxp0Oct 9 19:43:33 home kernel: ipfw: 60 Accept TCP 192.168.0.222:52195192.168.0.5:22 in via fxp0Oct 9 19:43:33 home kernel: ipfw: 60 Accept TCP 192.168.0.222:52195192.168.0.5:22 in via fxp0Oct 9 19:43:33 home kernel: ipfw: 60 Accept TCP 192.168.0.5:22192.168.0.222:52195 out via fxp0Oct 9 19:43:33 home kernel: ipfw: 60 Accept TCP 192.168.0.5:22192.168.0.222:52195 out via fxp0Oct 9 19:43:33 home kernel: ipfw: 60 Accept TCP 192.168.0.222:52195192.168.0.5:22 in via fxp0Oct 9 19:43:34 home kernel: ipfw: 60 Accept TCP 192.168.0.5:22192.168.0.222:52195 out via fxp0Oct 9 19:43:34 home kernel: ipfw: 60 Accept TCP 192.168.0.5:22192.168.0.222:52195 out via fxp0[ 190 ]