Date: Fri, 5 Dec 2008 09:25:28 -0800 (PST) From: G magicman <gwg7webbcom@yahoo.com> To: freebsd-questions@freebsd.org, Dean Weimer <dweimer@orscheln.com> Subject: Re: IPFilter section in Handbook needs updating Message-ID: <661217.76488.qm@web52202.mail.re2.yahoo.com> In-Reply-To: <CACC65656ED5C44FBA651F3D2B99B8081A22C23A@neuman.orscheln.oi.local>
next in thread | previous in thread | raw e-mail | index | archive | help
And incomplete yes i agree that the doc does need to be updated and example= s (more) need to be added. --- On Fri, 12/5/08, Dean Weimer <dweimer@orscheln.com> wrote: From: Dean Weimer <dweimer@orscheln.com> Subject: IPFilter section in Handbook needs updating To: freebsd-questions@freebsd.org Date: Friday, December 5, 2008, 10:07 AM I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed= that the ipmon and syslog information under the ipfilter section of the handbook= is incorrect. The section reads: -----snip----- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called "facility" and "level". IPMON in -Ds mode uses security as the "facility" name. All IPMON logged data goes to security The following levels can be used to further segregate the logged data if desired: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need t= o create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the /etc/syslog.conf file. The syslog.conf file offers considerable flexibility= in how syslog will deal with system messages issued by software applications l= ike IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the sysl= og task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you just created above. -----snip----- In trying to configure this I found that ipmon -Dsa doesn't log to security, but logs to local0 instead. Reading the man page for ipmon does = in fact state this. However it also list the -L option as being able to chang= e this default behavior, I tried ipmon -DSa -L security, it excepts this, but doesn't actually change the logging to use security. It still only outputs to the syslog using local0, I also tried using ipmon -DSa -L local7 as well= , still outputs to local0. It was easy enough to modify my syslog.conf to ou= tput the local0.* as well as security.* to the /var/log/security file. However = it would be greatly appreciated if someone that actually understands what's going on here could get this info updated. It would have saved me some tim= e, as well as I am sure some other people in the future. Of course it's always possible I am missing something simple here that is causing this discrepanc= y, please do inform me if I did. It's probably worth mentioning that I am starting ipmon using the rc.conf file with ipmon_enable=3D"YES" and ipmon_flags=3D"-DSa", just in case the /etc/rc.d/ipmon script actually changes the default behavior of ipmon in some way, though I didn't see anything in it that should. And ps wwaux | grep ipmon does display the pro= cess running with the flags exactly as stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, =A0=A0=A0=A0 Dean Weimer =A0=A0=A0=A0 Network Administrator =A0=A0=A0=A0 Orscheln Management Co _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" =0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?661217.76488.qm>