# ipfw logging gives error during startup



## sdad (Jan 2, 2011)

Chapter of manual 30.6 says to add to /etc/sysctl.conf


```
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5
```

During boot I get a message:


```
/etc/rc/d/sysctl Warning: net.inet.ip.fw.verbose doesn't exist
/etc/rc/d/sysctl Warning: net.inet.ip.fw.verbose_limit doesn't exist
```

How do I go about resolving this issue?

I do not have NAT enabled in rc.conf.
Besides rem'ing out the NAT section, I turned if off in ppp as well.

Boot also indicates that


```
Firewall logging enabled
```

but catch this:

in /var/log/messages

is  this:


```
ipfw2 (+ipv6) initialized, divert loadable, nat loadable, rules based forwarding disabled, default to deny, [B][I]logging disabled[/I][/B]
```

What did I do wrong?


----------



## phoenix (Jan 4, 2011)

GENERIC or custom kernel?

If custom, which IPFIREWALL_* options did you include?


----------



## sdad (Jan 4, 2011)

> GENERIC or custom kernel?
> 
> If custom, which IPFIREWALL_* options did you include?



Sorry..., I have 8.1-release, iso.  Installed as minimal, elected no ports at all, didn't even set up networking during install.  Still awed at have fast Free went in!
The guide says that ipfw will work as a module, no need to compile unless I want NAT, which I don't, so I didn't elect to do the kernel recompile.  I really need to do that soon, however.  

I just sat down from the ipfw project, having succeeded in getting logging to happen.  I ended up doing several things that were not referred to in the guide book or in how-tos that are out there. ( Revisions are a great way to make written material not necessarily spot on.)

I have notes on what I did and if anyone would find these of ("dubious") value, I'll share. Keep in mind my entry level stature.

Being new I guess that I can't indicate this post is solved, but it is.


----------



## phoenix (Jan 4, 2011)

I've marked it as solved.

Posting what you did to enable logging will add the info to the archives, so that future users with the same issue can search for it ... and find the answer.


----------



## sdad (Jan 4, 2011)

Here's some notes I have from install:


```
IBM Netfinity 4000 
2 500 MHZ PIII, 1 GB Ram, 2 9GB SCSI as 2 volumes,1 volume program partitions, 1 volume /var/log partition
FreeBSD 8, Minimal
IPFW Stateless Filter
SSH  Remove and do local admin only  admin port for remote logging

Using PPP over Ethernet (PPPoE)
WAN = PPPoE
LAN = 192.168.0.1
Admin = 192.168.23.1
Hostname = fw1.grand_ledge.us


At command prompt:
mkdir /var/log/ipfw
touch /var/log/ipfw/ipfw.log
chmod 600 /var/log/ipfw
chmod 600 /var/log/ipfw/ipfw.log
mv /etc/rc.firewall /etc/rc.firewall_orig #did this to see how ipfw handles rules files


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/sysctl.conf. By adding these statements, logging will be enabled on future reboots:

net.inet.ip.fw.enable=1
net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/ppp/ppp.conf:

default:
  set log +debug Phase tun command   # remove +debug and clear /var/log/ppp.log when running correctly
  enable dns

frontier:
  set device PPPoE:fxp0
  set ifaddr 10.0.0.1/0 10.0.0.2/0
  set authname admin
  set authkey password
  set dial
  add default HISADDR
  set speed sync
  set mru 1492
  set mtu 1492
  set ctsrts off
  enable lqr


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/rc.conf file:


hostname=fw1.grand_ledge.us
gateway_enable="YES"

## Firewall ipfw
firewall_enable="YES"
#firewall_type="open"

##    *  open -- pass all traffic.

##    *  client -- will protect only this machine.

##    *  simple -- protect the whole network.

##    *  closed -- entirely disables IP traffic except for the loopback interface.

##    *  UNKNOWN -- disables the loading of firewall rules.

##    *  filename -- absolute path of file containing firewall rules.
## If firewall_type is set to either client or simple, the default rules found in /etc/rc.firewall

firewall_script="/etc/ipfw.rules"
##    IPFW sample ruleset (found in /etc/rc.firewall)
## To get started cp /etc/rc.firewall /etc/ipfw.rules
## Do modification to ipfw.rules, not rc.firewall

firewall_logging="YES"
## log file: /var/log/ipfw/ipfw.log  must set each rule for log to happen

## NAT  No nat on this box--further downstream
#natd_enable="YES"
#natd_interface="fxp1"
#natd_flags="" 

## Admin interface
ifconfig_dc0="inet 192.168.23.1  netmask 255.255.255.0"

## LAN interface
ifconfig_fxp1="inet 192.168.0.1  netmask 255.255.255.0"

## WAN interface (PPPoE)
ppp_enable="YES"
ppp_mode="ddial"
#ppp_nat="YES" 
ppp_profile="frontier"

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/ppp/ppp.linkup:

MYADDR:
 delete all
 add 0 0 HISADDR

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/syslog.conf

At bootom add:

!ipfw
*.*				/var/log/ipfw/ipfw.log

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
/etc/newsyslog.conf

At bottom add:

/var/log/ipfw/ipfw.log		600	10	100	*	JC
```


----------

