ipfilter question

[Parv]

in message <20051213164227.0cb04489.europa100 at comcast.net>,
wrote Rob Lytle thusly...
>
> 
> 
> > > Here's my setup:
...
> > > in /etc/syslog.conf
> > 
> > yes, there is no other security.* facility, actually i got it
> > working

Please keep the attribution & attribute the respective authors.


> I have the problem that ipmon logs to /var/log/messages and nothing
> goes to /var/log/ipf.log.  Even after using the info in this thread.
> I am using local0 as was suggested for FreeBSD 6.0.  Earlier I was
> using security.* which didn't work either.  I suppose that at the
> least, I need to remove something from the /var/log/messages line.
> 
...
> *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err	/var/log/messages
> local0.*					/var/log/ipf.log

Like "authpriv.none" to stop auth messages going into
"/var/log/messages", you will need to add "local0.none" (or replace
"local0" w/ whatever the actual facility is used) after "*.notice;".

According to ipmon(8) on 5.4, passed & logged packets are logged w/
level of 'notice'. So you should be seeing only the passed packets in
'/var/log/messages'.  Rest of the messages, will go wherever
(local0|security|*).(info|warn|err) messages go.


Or, you could ...

  - give a file name to ipmon(8) to log messages in
  - remove the "-s" option to not to log via syslogd(8)
  - put the <ipmon facility>.none, in "/etc/syslog.cong", to avoid
    other files receiving ipf messages.
  - adjust /etc/newsyslog.conf to properly rotate the ipmon log
    files.


Don't forget to read up on syslog.conf(5), newsyslog.conf(5),
and ipmon(8) in any case.


  - Parv

--