From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 15:37:26 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 28CD8106564A for ; Fri, 5 Dec 2008 15:37:26 +0000 (UTC) (envelope-from dweimer@orscheln.com) Received: from PROXY2.orscheln.com (proxy2.orscheln.com [216.106.0.225]) by mx1.freebsd.org (Postfix) with ESMTP id D13D88FC12 for ; Fri, 5 Dec 2008 15:37:25 +0000 (UTC) (envelope-from dweimer@orscheln.com) Received: from neuman.orscheln.oi.local (neuman.orscheln.com [10.20.10.160]) by PROXY2.orscheln.com (8.13.8/8.13.8) with ESMTP id mB5F7Pqo041566 for ; Fri, 5 Dec 2008 09:07:25 -0600 (CST) (envelope-from dweimer@orscheln.com) X-MimeOLE: Produced By Microsoft Exchange V6.5 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable x-cr-puzzleid: {C701220F-45E5-4F69-A8EE-47F94C58C495} x-cr-hashedpuzzle: Kik= 3MM= A6al A9Gw BlM2 CHvf CSEm CvmM Dot0 D5/Y FgwA HiF7 H1IO IFlF IwE6 J+AV; 1; ZgByAGUAZQBiAHMAZAAtAHEAdQBlAHMAdABpAG8AbgBzAEAAZgByAGUAZQBiAHMAZAAuAG8AcgBnAA==; Sosha1_v1; 7; {C701220F-45E5-4F69-A8EE-47F94C58C495}; ZAB3AGUAaQBtAGUAcgBAAG8AcgBzAGMAaABlAGwAbgAuAGMAbwBtAA==; Fri, 05 Dec 2008 15:07:23 GMT; SQBQAEYAaQBsAHQAZQByACAAcwBlAGMAdABpAG8AbgAgAGkAbgAgAEgAYQBuAGQAYgBvAG8AawAgAG4AZQBlAGQAcwAgAHUAcABkAGEAdABpAG4AZwA= Content-class: urn:content-classes:message Date: Fri, 5 Dec 2008 09:07:23 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFilter section in Handbook needs updating Thread-Index: AclW6y1B9FhrZc0fROiC3j3RtanrNg== From: "Dean Weimer" To: Subject: IPFilter section in Handbook needs updating X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 15:37:26 -0000 I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and = noticed that the ipmon and syslog information under the ipfilter section = of the handbook is incorrect. The section reads: -----snip----- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses = special groupings called "facility" and "level". IPMON in -Ds mode uses = security as the "facility" name. All IPMON logged data goes to security = The following levels can be used to further segregate the logged data if = desired: LOG_INFO - packets logged using the "log" keyword as the action rather = than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered = short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will = need to create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the = /etc/syslog.conf file. The syslog.conf file offers considerable = flexibility in how syslog will deal with system messages issued by = software applications like IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file = location. To activate the changes to /etc/syslog.conf you can reboot or bump the = syslog task into re-reading /etc/syslog.conf by running = /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you = just created above. -----snip----- In trying to configure this I found that ipmon -Dsa doesn't log to = security, but logs to local0 instead. Reading the man page for ipmon = does in fact state this. However it also list the -L option as being = able to change this default behavior, I tried ipmon -DSa -L security, it = excepts this, but doesn't actually change the logging to use security. = It still only outputs to the syslog using local0, I also tried using = ipmon -DSa -L local7 as well, still outputs to local0. It was easy = enough to modify my syslog.conf to output the local0.* as well as = security.* to the /var/log/security file. However it would be greatly = appreciated if someone that actually understands what's going on here = could get this info updated. It would have saved me some time, as well = as I am sure some other people in the future. Of course it's always = possible I am missing something simple here that is causing this = discrepancy, please do inform me if I did. It's probably worth = mentioning that I am starting ipmon using the rc.conf file with = ipmon_enable=3D"YES" and ipmon_flags=3D"-DSa", just in case the = /etc/rc.d/ipmon script actually changes the default behavior of ipmon in = some way, though I didn't see anything in it that should. And ps wwaux = | grep ipmon does display the process running with the flags exactly as = stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, =A0=A0=A0=A0 Dean Weimer =A0=A0=A0=A0 Network Administrator =A0=A0=A0=A0 Orscheln Management Co