[neely]

I usually use 'sudo sysctl -w net.inet.ip.fw.verbose=1' to enable ipfw logging to /var/log/system.log, and this has always worked fine. However, since I updated to 10.2.4 this command no longer works, despite 'sysctl -a' showing verbose:1 after I issue it. Does anyone know if firewall logging under 10.2.4 has changed/broken, and can anyone offer a solution?

MTIA,
Neil.

[entrox]

From what I gathered from the ipfw manpage, this verbose option should only cause output when a rule with a "log" keyword was matched. I don't know what the exact behaviour was, but if it printed out everything by default then it was probably a bug (or at least contradicting the manpage).

If you want to log *all* traffic, add a default route with matches everything and contains a log keyword.

Code:
# Log everything
/sbin/ipfw add 10 allow log ip from any to any

But this will cause a lot of output, so you may want to narrow the log-rules down to the things you want to monitor. Alternatively, you can limit the amount it prints by setting `net.inet.ip.fw.verbose_limit' to 1000 or some other value.

[neely]

Originally posted by entrox:
From what I gathered from the ipfw manpage, this verbose option should only cause output when a rule with a "log" keyword was matched.

Bugger. Yes, you're right. A quick 'sudo ipfw -a list' shows that none of Jaguar's built-in rules are set up to log. I did a clean install for 10.2.4 and that must have screwed up my rules.

Thanks entrox.