Date: Mon, 29 Nov 2004 18:28:06 -0800 From: FMorales <altf2o@comcast.net> To: freebsd-questions@freebsd.org Subject: Problems logging w/ IPF on FreeBSD 5.3-STABLE Message-ID: <41ABDAB6.5030906@comcast.net>
next in thread | raw e-mail | index | archive | help
Hello all i recently installed FreeBSD 5.3 and am so far extremely
pleased with it. I read the section in the handbook that discussed
setting up IPF w/ FreeBSD 5.x, and also how to turn on logging and
such. Well IPF works perfectly, however my logging is NOT going
where it's supposed to. I used the same files the tutorial did,
that is:
/var/log/ipfilter.log
etc... I only "log" for the "block" rules, however the data that's
supposed to be written to my log file is NOT being written there
at all. My messages seem to be written to:
/var/log/security and
/var/log/messages
instead of /var/log/ipfilter.log. The important thing is i found
where things are being logged, however i was so stoked to get
everything setup and running, then this problem. Now it's just
a matter of principle and seeing where i went wrong. I offer the
following list of configuration settings, and information about
my current setup and system. If anyone needs more information
please ask i will be more than happy to provide it. Any help or a
point in the right direction would be greatly appreciated. I'm
sure it's something very silly i've done and am just overlooking.
Thanks in advance all.
FMorales...
System:
FreeBSD 5.3-RELEASE
AMD Athlon XP 1600+
512MB RAM
-- Alright lets run down the list, first things first. I decided
-- to recompile my kernel w/ the needed options to actually build
-- IPF etc.. into the kernel. I used a simple config named "Test"
-- here is the output showing the needed 'options' are there:
bash-2.05b$ cat /usr/src/sys/i386/conf/Test | grep "IPFILTER" | head -3
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
-- How i built, and installed the kernel were as follows:
bash-2.05b$ cd /usr/src
bash-2.05b$ make buildkernel KERNCONF=Test
bash-2.05b$ make installkernel KERNCONF=Test
-- After which i rebooted, and everything went ok.
-- Next we make sure we're running the correct kernel:
bash-2.05b$ uname -i
Test
-- Lets make sure our log file exists:
bash-2.05b$ ls -la /var/log/ipfil*
-rw-r--r-- 1 root wheel 0 Nov 27 14:29 /var/log/ipfilter.log
-- Ok lets be sure we added the needed options to /etc/rc.conf :
bash-2.05b$ cat /etc/rc.conf | grep "ip"
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.rules"
ipmon_enable="YES"
ipmon_flags="-Ds"
-- Lets make sure we have the correct values in /etc/syslog.conf:
bash-2.05b$ cat /etc/syslog.conf | grep "local"
local0.* /var/log/ipfilter.log
-- This entry is the FIRST one in /etc/syslog.conf. (NOTE: Using
-- local0.* OR Local0.* has no effect on the outcome)
-- We also told it to rotate our logs everyday at midnight:
bash-2.05b$ cat /etc/newsyslog.conf | grep "ipfilter"
/var/log/ipfilter.log 600 15 * $D0 JN
Ok all config looked ok. Next i remembered to restart syslogd.
I first did it with: kill -HUP <pid> after getting a valid pid.
I have ALSO rebooted several times just incase, no dice. Next
i read the syslogd manpage and restarted syslogd using:
syslogd -s -v -v
to get verbose logging. As i said before it DOES log to both
/var/log/security and
/var/log/messages
Now the output from a blocked packet was this: (I block telnet
both ways so when i try to telnet this is what gets written)
Nov 29 17:47:01 <security.warn> altf2o ipmon[177]:
17:47:00.419095 rl0 @0:19 b x.x.x.x,62902 ->
z.z.z.z,23
So it's apparent "security.*" in /etc/syslog.conf is picking it
up, but i'm not sure why if it should be comming in to 'syslogd'
as "local0.*" according to the Handbook. (Note: The output in
BOTH /var/log/security and /var/log/messages is identical)
Lastely we check 'ipmon' to be sure it's started and with the
correct options:
bash-2.05b$ ps -aux | grep "ipmon" | head -1
root 177 0.0 0.3 1856 1400 ?? Ss 5:52PM 0:00.01 ipmon -Ds
*whew* That's it, hopefully that's enough for someone to spot
my (i'm sure silly) mistake. Thanks again all...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41ABDAB6.5030906>