freebsd security - Nov 2004 - ipfw logging

Hi all!
After installing 5.3 I've noticed
some change in firewall logging.
Prior (on 5.2) rules gave me what
I needed: trimed to 3 of the same
connection. Every new connection
on the same rule gave new log line
up to 3. I have in kernel:
  FIREWALL
  FIREWALL_VERBOSE
  FIREWALL_VERBOSE_LIMIT=3
Now, all connections on the same
rule are trimed to 3. Is it possib-
le on 5.3 to have all connections
logged, but no more than 3 of the
same?
Just a little annoyance... I'd
rather see what was blocked. New
is even line:
"ipfw: limit 3 reached on entry 1500"
Can I do something to have old way
of logging back?
Best regards

                       ZK

On Mon, Nov 15, 2004 at 07:55:24AM +0100, Zoran Kolic
wrote:
> Hi all!
> After installing 5.3 I've noticed
> some change in firewall logging.
> Prior (on 5.2) rules gave me what
> I needed: trimed to 3 of the same
> connection. Every new connection
> on the same rule gave new log line
> up to 3. I have in kernel:
>   FIREWALL
>   FIREWALL_VERBOSE
>   FIREWALL_VERBOSE_LIMIT=3
> Now, all connections on the same
> rule are trimed to 3. Is it possib-
> le on 5.3 to have all connections
> logged, but no more than 3 of the
> same?
> Just a little annoyance... I'd
> rather see what was blocked. New
> is even line:
> "ipfw: limit 3 reached on entry 1500"
> Can I do something to have old way
> of logging back?
> Best regards
This may or may not help you with your situation but I found it to be a
considerable step up from setting these options in the kernel:

As of 5.3 (or perhaps earlier - I first noticed it in 5.3) you can
edit net.inet.ip.fw.verbose and net.inet.ip.fw.verbose_limit via
sysctl. Perhaps you'll have some luck fiddling with the value of
net.inet.ip.fw.verbose_limit.

Hope that helps.


-Snow