From owner-freebsd-questions@FreeBSD.ORG Fri Dec 5 17:25:29 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A2D11065679 for ; Fri, 5 Dec 2008 17:25:29 +0000 (UTC) (envelope-from gwg7webbcom@yahoo.com) Received: from web52202.mail.re2.yahoo.com (web52202.mail.re2.yahoo.com [206.190.48.125]) by mx1.freebsd.org (Postfix) with SMTP id 448658FC0A for ; Fri, 5 Dec 2008 17:25:29 +0000 (UTC) (envelope-from gwg7webbcom@yahoo.com) Received: (qmail 76882 invoked by uid 60001); 5 Dec 2008 17:25:28 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=m1nPhHIKvNv/8SW83WcgjR73bJBlnubU5sEe3eSklkVsYcWjZDQTNOcX6BH+b8Gg2ulRTRbPer3/vtm6KSQB3/5Frdg6a/i+scMUjUrEaPLdU0jLfPfTCGarXYg1MsfRbneMc9jHbv6iAcFChF8lIOxgnhcnHvHHhLNXfIP2n2M=; X-YMail-OSG: f_bGetIVM1lUSVWe058Yr2NzlHEhfeNyHK5dggzXgOALCGZ_loHHUnIJcyL61SCQ5u.HuFhWQzI8xKz7ZtvrA989gdSY8aeY9aCIKg2.C6jT.PUXSUeKIAgdKlAZQwKP8ME5VPqO5eu5jE4nJXPajLqM5ImRD9Zv2k31xCHer1Z5E7eDN0cbFeYWoVI- Received: from [71.180.152.129] by web52202.mail.re2.yahoo.com via HTTP; Fri, 05 Dec 2008 09:25:28 PST X-Mailer: YahooMailWebService/0.7.260.1 Date: Fri, 5 Dec 2008 09:25:28 -0800 (PST) From: G magicman To: freebsd-questions@freebsd.org, Dean Weimer In-Reply-To: MIME-Version: 1.0 Message-ID: <661217.76488.qm@web52202.mail.re2.yahoo.com> X-Mailman-Approved-At: Fri, 05 Dec 2008 18:06:33 +0000 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Re: IPFilter section in Handbook needs updating X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: gwg7webbcom@yahoo.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Dec 2008 17:25:29 -0000 And incomplete yes i agree that the doc does need to be updated and example= s (more) need to be added. --- On Fri, 12/5/08, Dean Weimer wrote: From: Dean Weimer Subject: IPFilter section in Handbook needs updating To: freebsd-questions@freebsd.org Date: Friday, December 5, 2008, 10:07 AM I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed= that the ipmon and syslog information under the ipfilter section of the handbook= is incorrect. The section reads: -----snip----- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called "facility" and "level". IPMON in -Ds mode uses security as the "facility" name. All IPMON logged data goes to security The following levels can be used to further segregate the logged data if desired: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need t= o create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the /etc/syslog.conf file. The syslog.conf file offers considerable flexibility= in how syslog will deal with system messages issued by software applications l= ike IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the sysl= og task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you just created above. -----snip----- In trying to configure this I found that ipmon -Dsa doesn't log to security, but logs to local0 instead. Reading the man page for ipmon does = in fact state this. However it also list the -L option as being able to chang= e this default behavior, I tried ipmon -DSa -L security, it excepts this, but doesn't actually change the logging to use security. It still only outputs to the syslog using local0, I also tried using ipmon -DSa -L local7 as well= , still outputs to local0. It was easy enough to modify my syslog.conf to ou= tput the local0.* as well as security.* to the /var/log/security file. However = it would be greatly appreciated if someone that actually understands what's going on here could get this info updated. It would have saved me some tim= e, as well as I am sure some other people in the future. Of course it's always possible I am missing something simple here that is causing this discrepanc= y, please do inform me if I did. It's probably worth mentioning that I am starting ipmon using the rc.conf file with ipmon_enable=3D"YES" and ipmon_flags=3D"-DSa", just in case the /etc/rc.d/ipmon script actually changes the default behavior of ipmon in some way, though I didn't see anything in it that should. And ps wwaux | grep ipmon does display the pro= cess running with the flags exactly as stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, =A0=A0=A0=A0 Dean Weimer =A0=A0=A0=A0 Network Administrator =A0=A0=A0=A0 Orscheln Management Co _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" =0A=0A=0A