Date: Fri, 5 Dec 2008 09:07:23 -0600 From: "Dean Weimer" <dweimer@orscheln.com> To: <freebsd-questions@freebsd.org> Subject: IPFilter section in Handbook needs updating Message-ID: <CACC65656ED5C44FBA651F3D2B99B8081A22C23A@neuman.orscheln.oi.local>
next in thread | raw e-mail | index | archive | help
I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and = noticed that the ipmon and syslog information under the ipfilter section = of the handbook is incorrect. The section reads: -----snip----- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses = special groupings called "facility" and "level". IPMON in -Ds mode uses = security as the "facility" name. All IPMON logged data goes to security = The following levels can be used to further segregate the logged data if = desired: LOG_INFO - packets logged using the "log" keyword as the action rather = than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered = short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will = need to create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the = /etc/syslog.conf file. The syslog.conf file offers considerable = flexibility in how syslog will deal with system messages issued by = software applications like IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file = location. To activate the changes to /etc/syslog.conf you can reboot or bump the = syslog task into re-reading /etc/syslog.conf by running = /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you = just created above. -----snip----- In trying to configure this I found that ipmon -Dsa doesn't log to = security, but logs to local0 instead. Reading the man page for ipmon = does in fact state this. However it also list the -L option as being = able to change this default behavior, I tried ipmon -DSa -L security, it = excepts this, but doesn't actually change the logging to use security. = It still only outputs to the syslog using local0, I also tried using = ipmon -DSa -L local7 as well, still outputs to local0. It was easy = enough to modify my syslog.conf to output the local0.* as well as = security.* to the /var/log/security file. However it would be greatly = appreciated if someone that actually understands what's going on here = could get this info updated. It would have saved me some time, as well = as I am sure some other people in the future. Of course it's always = possible I am missing something simple here that is causing this = discrepancy, please do inform me if I did. It's probably worth = mentioning that I am starting ipmon using the rc.conf file with = ipmon_enable=3D"YES" and ipmon_flags=3D"-DSa", just in case the = /etc/rc.d/ipmon script actually changes the default behavior of ipmon in = some way, though I didn't see anything in it that should. And ps wwaux = | grep ipmon does display the process running with the flags exactly as = stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, =A0=A0=A0=A0 Dean Weimer =A0=A0=A0=A0 Network Administrator =A0=A0=A0=A0 Orscheln Management Co
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACC65656ED5C44FBA651F3D2B99B8081A22C23A>