IPFilter section in Handbook needs updating

Fri Dec 5 08:07:37 PST 2008

On Dec 5, 2008, at 7:07 AM, Dean Weimer wrote:

> I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and  
> noticed that the ipmon and syslog information under the ipfilter  
> section of the handbook is incorrect.
>
A couple of years back, I submitted a one liner to some email
address of a documentation maintainer. I just looked on the
site and couldn't find this address. Instead, it said if you have
a change, it suggested putting in a PR. It sounds like it you
should create a diff of the current wording and your recommended
change.

Here is where I was looking:
http://www.freebsd.org/docproj/submitting.html

> The section reads:
> -----snip-----
> 31.5.7 IPMON Logging
> Syslogd uses its own special method for segregation of log data. It  
> uses special groupings called "facility" and "level". IPMON in -Ds  
> mode uses security as the "facility" name. All IPMON logged data  
> goes to security The following levels can be used to further  
> segregate the logged data if desired:
> LOG_INFO - packets logged using the "log" keyword as the action  
> rather than pass or block.
> LOG_NOTICE - packets logged which are also passed
> LOG_WARNING - packets logged which are also blocked
> LOG_ERR - packets which have been logged and which can be  
> considered short
> To setup IPFILTER to log all data to /var/log/ipfilter.log, you  
> will need to create the file. The following command will do that:
> # touch /var/log/ipfilter.log
> The syslog function is controlled by definition statements in the / 
> etc/syslog.conf file. The syslog.conf file offers considerable  
> flexibility in how syslog will deal with system messages issued by  
> software applications like IPF.
> Add the following statement to /etc/syslog.conf:
> security.* /var/log/ipfilter.log
> The security.* means to write all the logged messages to the coded  
> file location.
> To activate the changes to /etc/syslog.conf you can reboot or bump  
> the syslog task into re-reading /etc/syslog.conf by running /etc/ 
> rc.d/syslogd reload
> Do not forget to change /etc/newsyslog.conf to rotate the new log  
> you just created above.
> -----snip-----
>
> In trying to configure this I found that ipmon -Dsa doesn't log to  
> security, but logs to local0 instead.  Reading the man page for  
> ipmon does in fact state this.  However it also list the -L option  
> as being able to change this default behavior, I tried ipmon -DSa - 
> L security, it excepts this, but doesn't actually change the  
> logging to use security.  It still only outputs to the syslog using  
> local0, I also tried using ipmon -DSa -L local7 as well, still  
> outputs to local0.  It was easy enough to modify my syslog.conf to  
> output the local0.* as well as security.* to the /var/log/security  
> file.  However it would be greatly appreciated if someone that  
> actually understands what's going on here could get this info  
> updated.  It would have saved me some time, as well as I am sure  
> some other people in the future.  Of course it's always possible I  
> am missing something simple here that is causing this discrepancy,  
> please do inform me if I did.  It's probably worth mentioning that  
> I am starting ipmon using the rc.conf file with ipmon_enable="YES"  
> and ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script  
> actually changes the default behavior of ipmon in some way, though  
> I didn't see anything in it that should.  And ps wwaux | grep ipmon  
> does display the process running with the flags exactly as stated  
> on the ipmon_flags line of the /etc/rc.conf file.
>
> Thanks,
>      Dean Weimer
>      Network Administrator
>      Orscheln Management Co
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions- 
> unsubscribe at freebsd.org"
>