Date: Fri, 5 Dec 2008 08:07:19 -0800 From: Chris <eagletree@hughes.net> To: Dean Weimer <dweimer@orscheln.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFilter section in Handbook needs updating Message-ID: <EFE45FC1-5813-47E8-949D-B05B6E9BEF54@hughes.net> In-Reply-To: <CACC65656ED5C44FBA651F3D2B99B8081A22C23A@neuman.orscheln.oi.local> References: <CACC65656ED5C44FBA651F3D2B99B8081A22C23A@neuman.orscheln.oi.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 5, 2008, at 7:07 AM, Dean Weimer wrote: > I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and > noticed that the ipmon and syslog information under the ipfilter > section of the handbook is incorrect. > A couple of years back, I submitted a one liner to some email address of a documentation maintainer. I just looked on the site and couldn't find this address. Instead, it said if you have a change, it suggested putting in a PR. It sounds like it you should create a diff of the current wording and your recommended change. Here is where I was looking: http://www.freebsd.org/docproj/submitting.html > The section reads: > -----snip----- > 31.5.7 IPMON Logging > Syslogd uses its own special method for segregation of log data. It > uses special groupings called "facility" and "level". IPMON in -Ds > mode uses security as the "facility" name. All IPMON logged data > goes to security The following levels can be used to further > segregate the logged data if desired: > LOG_INFO - packets logged using the "log" keyword as the action > rather than pass or block. > LOG_NOTICE - packets logged which are also passed > LOG_WARNING - packets logged which are also blocked > LOG_ERR - packets which have been logged and which can be > considered short > To setup IPFILTER to log all data to /var/log/ipfilter.log, you > will need to create the file. The following command will do that: > # touch /var/log/ipfilter.log > The syslog function is controlled by definition statements in the / > etc/syslog.conf file. The syslog.conf file offers considerable > flexibility in how syslog will deal with system messages issued by > software applications like IPF. > Add the following statement to /etc/syslog.conf: > security.* /var/log/ipfilter.log > The security.* means to write all the logged messages to the coded > file location. > To activate the changes to /etc/syslog.conf you can reboot or bump > the syslog task into re-reading /etc/syslog.conf by running /etc/ > rc.d/syslogd reload > Do not forget to change /etc/newsyslog.conf to rotate the new log > you just created above. > -----snip----- > > In trying to configure this I found that ipmon -Dsa doesn't log to > security, but logs to local0 instead. Reading the man page for > ipmon does in fact state this. However it also list the -L option > as being able to change this default behavior, I tried ipmon -DSa - > L security, it excepts this, but doesn't actually change the > logging to use security. It still only outputs to the syslog using > local0, I also tried using ipmon -DSa -L local7 as well, still > outputs to local0. It was easy enough to modify my syslog.conf to > output the local0.* as well as security.* to the /var/log/security > file. However it would be greatly appreciated if someone that > actually understands what's going on here could get this info > updated. It would have saved me some time, as well as I am sure > some other people in the future. Of course it's always possible I > am missing something simple here that is causing this discrepancy, > please do inform me if I did. It's probably worth mentioning that > I am starting ipmon using the rc.conf file with ipmon_enable="YES" > and ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script > actually changes the default behavior of ipmon in some way, though > I didn't see anything in it that should. And ps wwaux | grep ipmon > does display the process running with the flags exactly as stated > on the ipmon_flags line of the /etc/rc.conf file. > > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EFE45FC1-5813-47E8-949D-B05B6E9BEF54>