Date: Tue, 14 Feb 2006 16:14:04 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Maxim Vetrov <muxas@mail.ru> Cc: freebsd-questions@FreeBSD.org Subject: Re: IPFILTER rule error Message-ID: <43F1F3BC.6020209@locolomo.org> In-Reply-To: <43F27C4D.9010904@mail.ru> References: <43F11FB2.7000105@mail.ru> <20060213141706.GA94131@flame.pc> <43F27C4D.9010904@mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Vetrov wrote: > Hi, > kernel conf: > ------------------------------------------------------- > ... > options IPFILTER > options IPFILTER_LOG > #options IPFILTER_DEFAULT_BLOCK > #options IPSTEALTH > ... > ------------------------------------------------------- The rc scripts should load these modules if they are not compiled with the kernel, in that case they would show up with kldstat. Try use kldstat and sysctl -a to see what's in your kernel, grep for ipf. > services: > ------------------------------------------------------- > ... > sunrpc 111/tcp rpcbind #SUN Remote Procedure Call > sunrpc 111/udp rpcbind #SUN Remote Procedure Call > ... > ------------------------------------------------------- > > ipf.rules: > ------------------------------------------------------- > block in log on rl0 all head 20 > block out log on rl0 all head 25 > > > pass in quick on rl0 \ > proto tcp/udp from any to any port = sunrpc keep state group 20 > pass in quick on rl0 \ > proto tcp/udp from any to any port = 717 keep state group 20 > pass out quick on rl0 \ > proto udp from any to any port = 111 keep state group 20 > -------------------------------------------------------- > > Steps to load the rules: >> ipf -Fa >> ipf -f /etc/ipf.rules > 1:ioctl (add/insert rule): No such process 1st: IIRC, the number in the error line indicates the line the error occurred in - not sure though. That would be your first rule. I don't know if you posted the whole ruleset or if you cut out what seemed irrelevant to keep the post short. 2nd: Reading the ipf-howto I see no examples where port names are used, try using the port number to eliminate that posibility. > And there is one more problem - despite that I have packet logging > enabled by default (-Ds) through syslogd, log is empty! > > syslog.conf: > -------------------------------------------------------- > ... > security.* /var/log/security > ... > -------------------------------------------------------- > That file exists and have root rw permissions. If you want to log to a separate file, why not let ipmon do that directly? # ipmon -D /var/log/security Secondly, the empty log may not be that surprising in the first place if your ruleset is not loaded correctly. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43F1F3BC.6020209>