From owner-freebsd-questions@FreeBSD.ORG Tue Feb 14 15:14:09 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.org Delivered-To: freebsd-questions@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06A4C16A420 for ; Tue, 14 Feb 2006 15:14:09 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E35443D46 for ; Tue, 14 Feb 2006 15:14:07 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.ATOSORIGIN.ES [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id D9B962E041; Tue, 14 Feb 2006 16:14:10 +0100 (CET) Message-ID: <43F1F3BC.6020209@locolomo.org> Date: Tue, 14 Feb 2006 16:14:04 +0100 From: Erik Norgaard User-Agent: Thunderbird 1.5 (X11/20060118) MIME-Version: 1.0 To: Maxim Vetrov References: <43F11FB2.7000105@mail.ru> <20060213141706.GA94131@flame.pc> <43F27C4D.9010904@mail.ru> In-Reply-To: <43F27C4D.9010904@mail.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@FreeBSD.org Subject: Re: IPFILTER rule error X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2006 15:14:09 -0000 Maxim Vetrov wrote: > Hi, > kernel conf: > ------------------------------------------------------- > ... > options IPFILTER > options IPFILTER_LOG > #options IPFILTER_DEFAULT_BLOCK > #options IPSTEALTH > ... > ------------------------------------------------------- The rc scripts should load these modules if they are not compiled with the kernel, in that case they would show up with kldstat. Try use kldstat and sysctl -a to see what's in your kernel, grep for ipf. > services: > ------------------------------------------------------- > ... > sunrpc 111/tcp rpcbind #SUN Remote Procedure Call > sunrpc 111/udp rpcbind #SUN Remote Procedure Call > ... > ------------------------------------------------------- > > ipf.rules: > ------------------------------------------------------- > block in log on rl0 all head 20 > block out log on rl0 all head 25 > > > pass in quick on rl0 \ > proto tcp/udp from any to any port = sunrpc keep state group 20 > pass in quick on rl0 \ > proto tcp/udp from any to any port = 717 keep state group 20 > pass out quick on rl0 \ > proto udp from any to any port = 111 keep state group 20 > -------------------------------------------------------- > > Steps to load the rules: >> ipf -Fa >> ipf -f /etc/ipf.rules > 1:ioctl (add/insert rule): No such process 1st: IIRC, the number in the error line indicates the line the error occurred in - not sure though. That would be your first rule. I don't know if you posted the whole ruleset or if you cut out what seemed irrelevant to keep the post short. 2nd: Reading the ipf-howto I see no examples where port names are used, try using the port number to eliminate that posibility. > And there is one more problem - despite that I have packet logging > enabled by default (-Ds) through syslogd, log is empty! > > syslog.conf: > -------------------------------------------------------- > ... > security.* /var/log/security > ... > -------------------------------------------------------- > That file exists and have root rw permissions. If you want to log to a separate file, why not let ipmon do that directly? # ipmon -D /var/log/security Secondly, the empty log may not be that surprising in the first place if your ruleset is not loaded correctly. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9