From owner-freebsd-security@FreeBSD.ORG  Mon Aug 11 15:41:35 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B0E5237B41C
	for <freebsd-security@freebsd.org>;
	Mon, 11 Aug 2003 15:41:27 -0700 (PDT)
Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9A0E043FE3
	for <freebsd-security@freebsd.org>;
	Mon, 11 Aug 2003 15:41:09 -0700 (PDT)
	(envelope-from cristjc@comcast.net)
Received: from blossom.cjclark.org
	(12-234-159-107.client.attbi.com[12.234.159.107](untrusted sender))
	by comcast.net (rwcrmhc13) with ESMTP
	id <20030811224109015006qd2qe>; Mon, 11 Aug 2003 22:41:09 +0000
Received: from blossom.cjclark.org (localhost. [127.0.0.1])
	by blossom.cjclark.org (8.12.8p1/8.12.8) with ESMTP id h7BMexJp032620;
	Mon, 11 Aug 2003 15:40:59 -0700 (PDT)
	(envelope-from cristjc@comcast.net)
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.12.8p1/8.12.8/Submit) id h7BMes7d032619;
	Mon, 11 Aug 2003 15:40:54 -0700 (PDT)
X-Authentication-Warning: blossom.cjclark.org: cjc set sender to
	cristjc@comcast.net using -f
Date: Mon, 11 Aug 2003 15:40:54 -0700
From: "Crist J. Clark" <cristjc@comcast.net>
To: Redmond Militante <r-militante@northwestern.edu>
Message-ID: <20030811224054.GC32225@blossom.cjclark.org>
References: <20030808064118.GA64362@darkpossum>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20030808064118.GA64362@darkpossum>
User-Agent: Mutt/1.4.1i
X-URL: http://people.freebsd.org/~cjc/
cc: freebsd-security@freebsd.org
Subject: Re: problems with ipfilter on 5.1-RELEASE
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: "Crist J. Clark" <cjc@freebsd.org>
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Aug 2003 22:41:38 -0000

On Fri, Aug 08, 2003 at 01:41:18AM -0500, Redmond Militante wrote:
> hi all
> 
> i'm trying to get ipfilter set up on my new 5.1-RELEASE box. ipfilter
> seems to be working fine. i just have a couple of issues that are
> probably not very serious...
> 
> one thing is that during network startup at boot, i get the message
> IPFilter: already initialized
> repeated 4 times.
> 
> i think i have everything configured properly
> 
> my kernel config looks like
> 
> options IPFILTER
> options IPFILTER_LOG
> options IPFILTER_DEFAULT_BLOCK
> 
> my /etc/rc.conf looks like
> 
> ipfilter_enable="YES"
> ipfilter_flags=""
> ipfilter_rules="/etc/ipfilter.rules"
> ipmon_enable="YES"
> ipmon_flags="-Dsvn"

IPFilter may be initialized when other network devices and services
are started and configured. This might be what you see. Can you
provide more of your rc.conf? At the very least, the other
networking-related variables.

> the other problem i have is that: it now seems that ipmon is logging to
> /var/log/messages. i've set up ipfilter successfully on many freebsd
> 4x boxes, but this is the first time i've tried to set it up on 5x.
> 
> in my /etc/syslog.conf i have
> 
> local0.* /var/log/firewall_logs
> *.notice;local0.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
> /var/log/messages

The default facility for IPFilter was changed to LOG_SECURITY,

  cvs diff -rRELENG_4 -rRELENG_5_1 src/contrib/ipfilter/Makefile
  Index: src/contrib/ipfilter/Makefile
  ===================================================================
  RCS file: /ncvs/src/contrib/ipfilter/Makefile,v
  retrieving revision 1.1.1.8.2.6
  retrieving revision 1.2
  diff -u -r1.1.1.8.2.6 -r1.2
  --- src/contrib/ipfilter/Makefile       1 Mar 2003 03:55:50 -0000       1.1.1.8.2.6
  +++ src/contrib/ipfilter/Makefile       5 Apr 2003 09:25:19 -0000       1.2
  @@ -3,6 +3,7 @@
   #
   # See the IPFILTER.LICENCE file for details on licencing.
   #
  +# $FreeBSD: src/contrib/ipfilter/Makefile,v 1.2 2003/04/05 09:25:19 darrenr Exp $
   # $Id: Makefile,v 2.11.2.15 2002/12/02 04:22:56 darrenr Exp $
   #
   BINDEST=/usr/local/bin
  @@ -29,7 +30,7 @@
   #
   # The facility you wish to log messages from ipmon to syslogd with.
   #
  -LOGFAC=-DLOGFAC=LOG_LOCAL0
  +LOGFAC=-DLOGFAC=LOG_SECURITY
 
   #
   # Uncomment the next 3 lines if you want to view the state table a la top(1)

You might want to,

  --- /export/freebsd/RELENG_5_1/src/etc/syslog.conf      Wed Apr 23 06:08:31 2003
  +++ syslog.conf Mon Aug 11 15:37:54 2003
  @@ -6,7 +6,7 @@
   #      may want to use only tabs as field separators here.
   #      Consult the syslog.conf(5) manpage.
   *.err;kern.debug;auth.notice;mail.crit         /dev/console
  -*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err  /var/log/messages
  +*.notice;authpriv,security.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
   security.*                                     /var/log/security
   auth.info;authpriv.info                                /var/log/auth.log
   mail.info                                      /var/log/maillog

If you wish to stop messages to /var/log/messages. They should already
be collecting in /var/log/security. You may wish to change that to
firewall_logs if the filename is important to you.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org