Date: Tue, 14 Feb 2006 16:14:04 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Maxim Vetrov <muxas@mail.ru> Cc: freebsd-questions@FreeBSD.org Subject: Re: IPFILTER rule error Message-ID: <43F1F3BC.6020209@locolomo.org> In-Reply-To: <43F27C4D.9010904@mail.ru> References: <43F11FB2.7000105@mail.ru> <20060213141706.GA94131@flame.pc> <43F27C4D.9010904@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Vetrov wrote:
> Hi,
> kernel conf:
> -------------------------------------------------------
> ...
> options IPFILTER
> options IPFILTER_LOG
> #options IPFILTER_DEFAULT_BLOCK
> #options IPSTEALTH
> ...
> -------------------------------------------------------
The rc scripts should load these modules if they are not compiled with
the kernel, in that case they would show up with kldstat.
Try use kldstat and sysctl -a to see what's in your kernel, grep for ipf.
> services:
> -------------------------------------------------------
> ...
> sunrpc 111/tcp rpcbind #SUN Remote Procedure Call
> sunrpc 111/udp rpcbind #SUN Remote Procedure Call
> ...
> -------------------------------------------------------
>
> ipf.rules:
> -------------------------------------------------------
> block in log on rl0 all head 20
> block out log on rl0 all head 25
>
>
> pass in quick on rl0 \
> proto tcp/udp from any to any port = sunrpc keep state group 20
> pass in quick on rl0 \
> proto tcp/udp from any to any port = 717 keep state group 20
> pass out quick on rl0 \
> proto udp from any to any port = 111 keep state group 20
> --------------------------------------------------------
>
> Steps to load the rules:
>> ipf -Fa
>> ipf -f /etc/ipf.rules
> 1:ioctl (add/insert rule): No such process
1st: IIRC, the number in the error line indicates the line the error
occurred in - not sure though. That would be your first rule. I don't
know if you posted the whole ruleset or if you cut out what seemed
irrelevant to keep the post short.
2nd: Reading the ipf-howto I see no examples where port names are used,
try using the port number to eliminate that posibility.
> And there is one more problem - despite that I have packet logging
> enabled by default (-Ds) through syslogd, log is empty!
>
> syslog.conf:
> --------------------------------------------------------
> ...
> security.* /var/log/security
> ...
> --------------------------------------------------------
> That file exists and have root rw permissions.
If you want to log to a separate file, why not let ipmon do that directly?
# ipmon -D /var/log/security
Secondly, the empty log may not be that surprising in the first place if
your ruleset is not loaded correctly.
Cheers, Erik
--
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F1F3BC.6020209>