From owner-freebsd-questions@FreeBSD.ORG Wed Dec 1 02:29:18 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2BA316A4CE for ; Wed, 1 Dec 2004 02:29:17 +0000 (GMT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CD8643D54 for ; Wed, 1 Dec 2004 02:29:17 +0000 (GMT) (envelope-from altf2o@comcast.net) Received: from [192.168.1.102] (c-67-168-194-119.client.comcast.net[67.168.194.119]) by comcast.net (rwcrmhc13) with ESMTP id <2004120102291201500c4imhe>; Wed, 1 Dec 2004 02:29:13 +0000 Message-ID: <41ABDAB6.5030906@comcast.net> Date: Mon, 29 Nov 2004 18:28:06 -0800 From: FMorales User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.2) Gecko/20041016 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Problems logging w/ IPF on FreeBSD 5.3-STABLE X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Dec 2004 02:29:18 -0000 Hello all i recently installed FreeBSD 5.3 and am so far extremely pleased with it. I read the section in the handbook that discussed setting up IPF w/ FreeBSD 5.x, and also how to turn on logging and such. Well IPF works perfectly, however my logging is NOT going where it's supposed to. I used the same files the tutorial did, that is: /var/log/ipfilter.log etc... I only "log" for the "block" rules, however the data that's supposed to be written to my log file is NOT being written there at all. My messages seem to be written to: /var/log/security and /var/log/messages instead of /var/log/ipfilter.log. The important thing is i found where things are being logged, however i was so stoked to get everything setup and running, then this problem. Now it's just a matter of principle and seeing where i went wrong. I offer the following list of configuration settings, and information about my current setup and system. If anyone needs more information please ask i will be more than happy to provide it. Any help or a point in the right direction would be greatly appreciated. I'm sure it's something very silly i've done and am just overlooking. Thanks in advance all. FMorales... System: FreeBSD 5.3-RELEASE AMD Athlon XP 1600+ 512MB RAM -- Alright lets run down the list, first things first. I decided -- to recompile my kernel w/ the needed options to actually build -- IPF etc.. into the kernel. I used a simple config named "Test" -- here is the output showing the needed 'options' are there: bash-2.05b$ cat /usr/src/sys/i386/conf/Test | grep "IPFILTER" | head -3 options IPFILTER options IPFILTER_LOG options IPFILTER_DEFAULT_BLOCK -- How i built, and installed the kernel were as follows: bash-2.05b$ cd /usr/src bash-2.05b$ make buildkernel KERNCONF=Test bash-2.05b$ make installkernel KERNCONF=Test -- After which i rebooted, and everything went ok. -- Next we make sure we're running the correct kernel: bash-2.05b$ uname -i Test -- Lets make sure our log file exists: bash-2.05b$ ls -la /var/log/ipfil* -rw-r--r-- 1 root wheel 0 Nov 27 14:29 /var/log/ipfilter.log -- Ok lets be sure we added the needed options to /etc/rc.conf : bash-2.05b$ cat /etc/rc.conf | grep "ip" ipfilter_enable="YES" ipfilter_rules="/etc/ipf.rules" ipmon_enable="YES" ipmon_flags="-Ds" -- Lets make sure we have the correct values in /etc/syslog.conf: bash-2.05b$ cat /etc/syslog.conf | grep "local" local0.* /var/log/ipfilter.log -- This entry is the FIRST one in /etc/syslog.conf. (NOTE: Using -- local0.* OR Local0.* has no effect on the outcome) -- We also told it to rotate our logs everyday at midnight: bash-2.05b$ cat /etc/newsyslog.conf | grep "ipfilter" /var/log/ipfilter.log 600 15 * $D0 JN Ok all config looked ok. Next i remembered to restart syslogd. I first did it with: kill -HUP after getting a valid pid. I have ALSO rebooted several times just incase, no dice. Next i read the syslogd manpage and restarted syslogd using: syslogd -s -v -v to get verbose logging. As i said before it DOES log to both /var/log/security and /var/log/messages Now the output from a blocked packet was this: (I block telnet both ways so when i try to telnet this is what gets written) Nov 29 17:47:01 altf2o ipmon[177]: 17:47:00.419095 rl0 @0:19 b x.x.x.x,62902 -> z.z.z.z,23 So it's apparent "security.*" in /etc/syslog.conf is picking it up, but i'm not sure why if it should be comming in to 'syslogd' as "local0.*" according to the Handbook. (Note: The output in BOTH /var/log/security and /var/log/messages is identical) Lastely we check 'ipmon' to be sure it's started and with the correct options: bash-2.05b$ ps -aux | grep "ipmon" | head -1 root 177 0.0 0.3 1856 1400 ?? Ss 5:52PM 0:00.01 ipmon -Ds *whew* That's it, hopefully that's enough for someone to spot my (i'm sure silly) mistake. Thanks again all...