From owner-freebsd-questions@FreeBSD.ORG Mon Dec 8 13:38:01 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B1221065670 for ; Mon, 8 Dec 2008 13:38:01 +0000 (UTC) (envelope-from dweimer@orscheln.com) Received: from PROXY2.orscheln.com (proxy2.orscheln.com [216.106.0.225]) by mx1.freebsd.org (Postfix) with ESMTP id D1FA38FC14 for ; Mon, 8 Dec 2008 13:38:00 +0000 (UTC) (envelope-from dweimer@orscheln.com) Received: from neuman.orscheln.oi.local (neuman.orscheln.com [10.20.10.160]) by PROXY2.orscheln.com (8.13.8/8.13.8) with ESMTP id mB8DbwXx083740; Mon, 8 Dec 2008 07:37:58 -0600 (CST) (envelope-from dweimer@orscheln.com) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 8 Dec 2008 07:37:57 -0600 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPFilter section in Handbook needs updating Thread-Index: AclYGJrSccr2d+XvRZmoINi9/mzr6gBICWRA References: <661217.76488.qm@web52202.mail.re2.yahoo.com> <493B3D77.6080404@a1poweruser.com> From: "Dean Weimer" To: "Fbsd1" , Cc: freebsd-questions@freebsd.org Subject: RE: IPFilter section in Handbook needs updating X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Dec 2008 13:38:01 -0000 First, thanks for your work on writing the section in the handbook, its = greatly appreciated. The updates about where ipmon logging to local0 = looks good. Not sure whether or not you want to change the bumping the = syslogd using the ps and kill commands as /etc/rc.d/syslogd reload does = work, and would be easier for someone that is just learning how = everything works. Thanks, =A0=A0=A0=A0 Dean Weimer =A0=A0=A0=A0 Network Administrator =A0=A0=A0=A0 Orscheln Management Co -----Original Message----- From: Fbsd1 [mailto:fbsd1@a1poweruser.com]=20 Sent: Saturday, December 06, 2008 9:05 PM To: gwg7webbcom@yahoo.com Cc: freebsd-questions@freebsd.org; Dean Weimer Subject: Re: IPFilter section in Handbook needs updating G magicman wrote: > And incomplete yes i agree that the doc does need to be updated and = examples (more) need to be added. >=20 > --- On Fri, 12/5/08, Dean Weimer wrote: > From: Dean Weimer > Subject: IPFilter section in Handbook needs updating > To: freebsd-questions@freebsd.org > Date: Friday, December 5, 2008, 10:07 AM >=20 > I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and = noticed that > the ipmon and syslog information under the ipfilter section of the = handbook is > incorrect. >=20 > The section reads: > -----snip----- > 31.5.7 IPMON Logging > Syslogd uses its own special method for segregation of log data. It = uses > special groupings called "facility" and "level". IPMON in > -Ds mode uses security as the "facility" name. All IPMON logged data > goes to security The following levels can be used to further segregate = the > logged data if desired: > LOG_INFO - packets logged using the "log" keyword as the action > rather than pass or block. > LOG_NOTICE - packets logged which are also passed > LOG_WARNING - packets logged which are also blocked > LOG_ERR - packets which have been logged and which can be considered = short > To setup IPFILTER to log all data to /var/log/ipfilter.log, you will = need to > create the file. The following command will do that: > # touch /var/log/ipfilter.log > The syslog function is controlled by definition statements in the > /etc/syslog.conf file. The syslog.conf file offers considerable = flexibility in > how syslog will deal with system messages issued by software = applications like > IPF. > Add the following statement to /etc/syslog.conf: > security.* /var/log/ipfilter.log > The security.* means to write all the logged messages to the coded = file > location. > To activate the changes to /etc/syslog.conf you can reboot or bump the = syslog > task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd = reload > Do not forget to change /etc/newsyslog.conf to rotate the new log you = just > created above. > -----snip----- >=20 > In trying to configure this I found that ipmon -Dsa doesn't log to > security, but logs to local0 instead. Reading the man page for ipmon = does in > fact state this. However it also list the -L option as being able to = change > this default behavior, I tried ipmon -DSa -L security, it excepts = this, but > doesn't actually change the logging to use security. It still only = outputs > to the syslog using local0, I also tried using ipmon -DSa -L local7 as = well, > still outputs to local0. It was easy enough to modify my syslog.conf = to output > the local0.* as well as security.* to the /var/log/security file. = However it > would be greatly appreciated if someone that actually understands = what's > going on here could get this info updated. It would have saved me = some time, as > well as I am sure some other people in the future. Of course it's = always > possible I am missing something simple here that is causing this = discrepancy, > please do inform me if I did. It's probably worth mentioning that I = am > starting ipmon using the rc.conf file with ipmon_enable=3D"YES" and > ipmon_flags=3D"-DSa", just in case the /etc/rc.d/ipmon script actually > changes the default behavior of ipmon in some way, though I didn't see > anything in it that should. And ps wwaux | grep ipmon does display = the process > running with the flags exactly as stated on the ipmon_flags line of = the > /etc/rc.conf file. >=20 > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co >=20 I wrote that whole firewall handbook section. How is the following for=20 complete replacement of the 31.5.7 IPMON Logging section? 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses = special groupings called 'facility' and 'level'. IPMON in -Ds mode uses=20 local0 as the 'facility' name. All IPMON logged data goes to local0. You have to manually configure the /etc/syslog.conf file by adding the=20 statements to direct the Local0 'facility' to the log file name=20 recording the log records. FBSD keeps all of its syslog files in=20 /var/log/ directory. First allocate the new named log file for the IPFMON logged data. touch /var/log/ipfilter.log # will allocate the file The syslog function is controlled by definition statements in the=20 /etc/syslog.conf file. You will have to edit the /etc/syslog.conf file. Add the following statement to syslog.conf: local0.* /var/log/ipfilter.log The local0.* means to write all the logged messages to the coded file=20 location. To activate the changes to /etc/syslog.conf you can reboot or bump the=20 syslog task into re-reading /etc/syslog.conf by kill -HUP pid. You get=20 the pid (IE: process number) by listing the tasks with the ps ax=20 command. Find syslog in the display and the pid number is the number in=20 the left column. Don't forget to change /etc/newsyslog.conf to rotate the new named=20 IPFILTER log you just created above.