Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Feb 2008 13:20:32 +0000
From:      Anton Shterenlikht <mexas@bristol.ac.uk>
To:        freebsd-questions@freebsd.org
Subject:   IPMON log to syslog doesn't work
Message-ID:  <20080226132032.GA86468@mech-aslap33.men.bris.ac.uk>
next in thread | raw e-mail | index | archive | help 
Hello

I'm trying to troubleshoot my ipfilter firewall, and I cannot get any
log data, i.e. /var/log/ipfilter.log is empty.

I have in my kernel
	options IPFILTER
	options IPFILTER_LOG
	options IPFILTER_DEFAULT_BLOCK

in /etc/rc.conf
	ipfilter_enable="YES"             # Start ipf firewall
	ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
	ipmon_enable="YES"                # Start IP monitor log
	ipmon_flags="-Ds"                 # D = start as daemon

	gateway_enable="YES"              # Enable as LAN gateway
	ipnat_enable="YES"                # Start ipnat function
	ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat

in /etc/syslogd.conf
	security.*      /var/log/security
	security.*      /var/log/ipfilter.log

in /etc/newsyslog.conf
	/var/log/security           600  10    100  *     JC
	/var/log/ipfilter.log       640  10    100  *      C

in /etc/ipf.rules
	pass in  log on dc0 proto udp from any to any port = 123 keep state
	pass out log on dc0 proto udp from any to any port = 123 keep state
plus many other log requests


I can run ipmon iteractively and see some output, e.g.:
# ipmon
26/02/2008 13:09:45.045875 dc0 @0:20 b 137.222.187.86,137 -> 137.222.187.255,137
 PR udp len 20 78 IN broadcast
26/02/2008 13:09:57.454559 dc0 @0:20 b 137.222.187.90,137 -> 137.222.187.255,137
 PR udp len 20 78 IN broadcast
26/02/2008 13:10:34.105816 3x dc0 @0:20 b 137.222.187.115,137 -> 137.222.187.255
,137 PR udp len 20 78 IN broadcast
26/02/2008 13:10:36.451501 dc0 @0:21 b 137.222.187.162,138 -> 137.222.187.255,13
8 PR udp len 20 229 IN broadcast
26/02/2008 13:10:49.132426 dc0 @0:21 b 137.222.187.86,138 -> 137.222.187.255,138
 PR udp len 20 229 IN broadcast
#

but nothing ever appears in the logs:
# cat /var/log/security
Jul 20 10:52:47  newsyslog[463]: logfile first created
# cat /var/log/ipfilter.log
Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over
mech-cluster238#

What am I missing?

many thanks
anton

-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 928 8233 
Fax: +44 (0)117 929 4423

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080226132032.GA86468>