IPFW ipfw in kernel nat logging

D

dkh

Does anyone have a pointer to using the log option with in kernel nat in ipfw?

If I add the log option to the config it is accepted eg

Code: 
ipfw nat 1 config \
   if igc0 \
   same_ports \
   unreg_only \
   log \
   redirect_port tcp alice:ssh ralph:ssh \
   redirect_port tcp alice:https ralph:https

But then I try to look at the log

Code: 
ipfw nat 1 show log

I get an error message "ipfw: unknown redir mode".

Code: 
ipfw nat 1 show config
works as expected.

If I try looking at the log without adding it to the config I get the more reasonable error of "ipfw: Error getting nat 1 instance info: No such file or directory"

Apparently my google'foo isn't up to the task of finding an answer.
 
I believe that ipfw sends all of it's log messages to syslog ("security" facility).

So assuming you are using the default syslogd configuration, and if this sysctl is set:

sysctl net.inet.ip.fw.verbose=1

then you should be able to see all ipfw log messages by looking in /var/log/security

Note that the once the ipfw logamount for any given rule has been reached, ipfw will stop logging new messages until the ipfw counters are reset or the logamount parameter is changed.

If you would prefer to capture live packets that match any ipfw "log" rules, you could change net.inet.ip.fw.verbose=0, create an "ipfw0" pseudo-device (via ifconfig ipfw0 create), then use tcpdump -i ipfw0 (or other BPF application such as wireshark).

FWIW, I have never tried to use ipfw logging for it's kernel NAT to see what ipfw writes to the log specifically for NAT. I don't believe there is any way to view the current NAT mappings, and I wished there was such a feature! :(

Hope this helps..
 
Thank you for the response. The normal ipfw logging is working fine, it's just in relation to the NAT log.

I believe it's supposed to show some stats.

In a post from 2016 an example from 10.3 is shown as

Code: 
ipfw nat 1 show
nat 1: icmp=0, udp=0, tcp=0, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=0

ipfw nat 2 show
nat 2: icmp=0, udp=0, tcp=0, sctp=0, pptp=0, proto=0, frag_id=0 frag_ptr=0 / tot=0

It also shows the same message I'm seeing from 11.0. I think that span is where the syntax changed from just "show" to "show config" or "show log"
 
Based on peeking at ipfw and kernel libalias source code (see /usr/src/sys/netinet/libalias/alias_db.c, function ShowAliasStats()) -- I believe the log message you seek is formatted/updated by kernel libalias there. It looks to me like ipfw nat show log simply prints the current contents of a libalias kernel memory area, and it only gets updated when a NAT association is created or deleted, so if no packets have gone through your NAT, that might explain why you're not seeing what you expect.

I just tried setting-up a kernel NAT on a 14.2-RELEASE system, and I do see the expected stats when I run ipfw nat show log after running some packets through my ipfw kernel nat rules. But curiously, if I change nat to nat 1 in that command (i.e.: ipfw nat 1 show log, then it shows the NAT config instead of the NAT log, so there might be some kind of bug here.

Have you tried running packets through your configured kernel NAT, then only after that, tried a ipfw nat show log to see if the stats appear?
 
Interesting. Thanks for trying it!

It does work if I do a ipfw nat show log but fails with the redir message if I do ipfw nat 1 show log
 
You must log in or register to reply here.
Back
Top