From aa4b126086dab0facfcc6f05188dac3790860af2 Mon Sep 17 00:00:00 2001
From: Tom Rhodes <trhodes@FreeBSD.org>
Date: Mon, 11 Mar 2019 15:04:02 +0000
Subject: [PATCH] Note that, even if logging is enabled in rc.conf, IPFW rules
 still need the "log" keyword to create logs.

Reviewed by:		bcr
Differential Revision:	https://reviews.freebsd.org/D19513
---
 en_US.ISO8859-1/books/handbook/firewalls/chapter.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
index 088ce6deb7..59bbec4b28 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@@ -1697,6 +1697,14 @@ block drop out quick on $ext_if from any to $martians</programlisting>
 
       <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen>
 
+      <warning>
+	<para>Only firewall rules with the <option>log</option> option will
+	  be logged.  The default rules do not include this option and it
+	  must be manually added.  Therefor it is advisable that the default
+	  ruleset is edited for logging.  In addition, log rotation may be
+	  desired if the logs are stored in a separate file.</para>
+      </warning>
+
       <para>There is no <filename>/etc/rc.conf</filename> variable to
 	set logging limits.  To limit the number of times a rule is
 	logged per connection attempt, specify the number using this