IPMON log to syslog doesn't work

Anton Shterenlikht mexas at bristol.ac.uk
Tue Feb 26 13:22:42 UTC 2008 

Hello

I'm trying to troubleshoot my ipfilter firewall, and I cannot get any
log data, i.e. /var/log/ipfilter.log is empty.

I have in my kernel
	options IPFILTER
	options IPFILTER_LOG
	options IPFILTER_DEFAULT_BLOCK

in /etc/rc.conf
	ipfilter_enable="YES"             # Start ipf firewall
	ipfilter_rules="/etc/ipf.rules"   # loads rules definition text file
	ipmon_enable="YES"                # Start IP monitor log
	ipmon_flags="-Ds"                 # D = start as daemon

	gateway_enable="YES"              # Enable as LAN gateway
	ipnat_enable="YES"                # Start ipnat function
	ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat

in /etc/syslogd.conf
	security.*      /var/log/security
	security.*      /var/log/ipfilter.log

in /etc/newsyslog.conf
	/var/log/security           600  10    100  *     JC
	/var/log/ipfilter.log       640  10    100  *      C

in /etc/ipf.rules
	pass in  log on dc0 proto udp from any to any port = 123 keep state
	pass out log on dc0 proto udp from any to any port = 123 keep state
plus many other log requests


I can run ipmon iteractively and see some output, e.g.:
# ipmon
26/02/2008 13:09:45.045875 dc0 @0:20 b 137.222.187.86,137 -> 137.222.187.255,137
 PR udp len 20 78 IN broadcast
26/02/2008 13:09:57.454559 dc0 @0:20 b 137.222.187.90,137 -> 137.222.187.255,137
 PR udp len 20 78 IN broadcast
26/02/2008 13:10:34.105816 3x dc0 @0:20 b 137.222.187.115,137 -> 137.222.187.255
,137 PR udp len 20 78 IN broadcast
26/02/2008 13:10:36.451501 dc0 @0:21 b 137.222.187.162,138 -> 137.222.187.255,13
8 PR udp len 20 229 IN broadcast
26/02/2008 13:10:49.132426 dc0 @0:21 b 137.222.187.86,138 -> 137.222.187.255,138
 PR udp len 20 229 IN broadcast
#

but nothing ever appears in the logs:
# cat /var/log/security
Jul 20 10:52:47  newsyslog[463]: logfile first created
# cat /var/log/ipfilter.log
Feb 26 00:00:00 mech-cluster238 newsyslog[21510]: logfile turned over
mech-cluster238#

What am I missing?

many thanks
anton

-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 928 8233 
Fax: +44 (0)117 929 4423

More information about the freebsd-questions mailing list