As the main part of the IPFW
system lives in the kernel, you will
need to add one or more options to your kernel configuration
file, depending on what facilities you want, and recompile your kernel. See
reconfiguring the kernel for more
details on how to recompile your kernel.
There are currently three kernel configuration options relevant to IPFW:
Compiles into the kernel the code for packet filtering.
Enables code to allow logging of
packets through syslogd(8)
. Without this option, even if you
specify that packets should be logged in the filter rules, nothing
will happen.
Limits the number of
packets logged through syslogd(8)
on a per entry basis.
You may wish to use this option in hostile environments in which
you want to log firewall activity, but do not want to be open to
a denial of service attack via syslog flooding.
When a chain entry reaches the packet limit specified, logging
is turned off for that particular entry. To resume logging, you
will need to reset the associated counter using the ipfw(8)
utility:
ipfw zero 4500
Where 4500 is the chain entry you wish to continue logging.
Previous versions of FreeBSD contained an IPFIREWALL_ACCT
option. This is now obsolete as the firewall code automatically
includes accounting facilities.