From owner-freebsd-questions@FreeBSD.ORG Wed Dec 14 02:16:24 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7963D16A41F for ; Wed, 14 Dec 2005 02:16:24 +0000 (GMT) (envelope-from parv@pair.com) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3C6B43D5A for ; Wed, 14 Dec 2005 02:16:23 +0000 (GMT) (envelope-from parv@pair.com) Received: from default.chvlva.adelphia.net ([68.67.248.52]) by mta11.adelphia.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with ESMTP id <20051214021623.SJIE4477.mta11.adelphia.net@default.chvlva.adelphia.net>; Tue, 13 Dec 2005 21:16:23 -0500 Received: by default.chvlva.adelphia.net (Postfix, from userid 1000) id 73E77B547; Tue, 13 Dec 2005 21:16:20 -0500 (EST) Date: Tue, 13 Dec 2005 21:16:20 -0500 From: Parv To: Rob Lytle Message-ID: <20051214021620.GA31453@holestein.holy.cow> Mail-Followup-To: Rob Lytle , freebsd-questions@freebsd.org References: <43c190410512130257l1366b4c3rf56f44f5f451b93@mail.gmail.com> <43c190410512131624w56ad2c14k8e65d64d2207dcbd@mail.gmail.com> <20051213164227.0cb04489.europa100@comcast.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20051213164227.0cb04489.europa100@comcast.net> Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Dec 2005 02:16:24 -0000 in message <20051213164227.0cb04489.europa100@comcast.net>, wrote Rob Lytle thusly... > > > > > > Here's my setup: ... > > > in /etc/syslog.conf > > > > yes, there is no other security.* facility, actually i got it > > working Please keep the attribution & attribute the respective authors. > I have the problem that ipmon logs to /var/log/messages and nothing > goes to /var/log/ipf.log. Even after using the info in this thread. > I am using local0 as was suggested for FreeBSD 6.0. Earlier I was > using security.* which didn't work either. I suppose that at the > least, I need to remove something from the /var/log/messages line. > ... > *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages > local0.* /var/log/ipf.log Like "authpriv.none" to stop auth messages going into "/var/log/messages", you will need to add "local0.none" (or replace "local0" w/ whatever the actual facility is used) after "*.notice;". According to ipmon(8) on 5.4, passed & logged packets are logged w/ level of 'notice'. So you should be seeing only the passed packets in '/var/log/messages'. Rest of the messages, will go wherever (local0|security|*).(info|warn|err) messages go. Or, you could ... - give a file name to ipmon(8) to log messages in - remove the "-s" option to not to log via syslogd(8) - put the .none, in "/etc/syslog.cong", to avoid other files receiving ipf messages. - adjust /etc/newsyslog.conf to properly rotate the ipmon log files. Don't forget to read up on syslog.conf(5), newsyslog.conf(5), and ipmon(8) in any case. - Parv --