IPFilter section in Handbook needs updating

G magicman gwg7webbcom at yahoo.com
Fri Dec 5 09:25:29 PST 2008

And incomplete yes i agree that the doc does need to be updated and examples (more) need to be added.

--- On Fri, 12/5/08, Dean Weimer <dweimer at orscheln.com> wrote:
From: Dean Weimer <dweimer at orscheln.com>
Subject: IPFilter section in Handbook needs updating
To: freebsd-questions at freebsd.org
Date: Friday, December 5, 2008, 10:07 AM

I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that
the ipmon and syslog information under the ipfilter section of the handbook is

The section reads:
31.5.7 IPMON Logging
Syslogd uses its own special method for segregation of log data. It uses
special groupings called "facility" and "level". IPMON in
-Ds mode uses security as the "facility" name. All IPMON logged data
goes to security The following levels can be used to further segregate the
logged data if desired:
LOG_INFO - packets logged using the "log" keyword as the action
rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered short
To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to
create the file. The following command will do that:
# touch /var/log/ipfilter.log
The syslog function is controlled by definition statements in the
/etc/syslog.conf file. The syslog.conf file offers considerable flexibility in
how syslog will deal with system messages issued by software applications like
Add the following statement to /etc/syslog.conf:
security.* /var/log/ipfilter.log
The security.* means to write all the logged messages to the coded file
To activate the changes to /etc/syslog.conf you can reboot or bump the syslog
task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload
Do not forget to change /etc/newsyslog.conf to rotate the new log you just
created above.

In trying to configure this I found that ipmon -Dsa doesn't log to
security, but logs to local0 instead.  Reading the man page for ipmon does in
fact state this.  However it also list the -L option as being able to change
this default behavior, I tried ipmon -DSa -L security, it excepts this, but
doesn't actually change the logging to use security.  It still only outputs
to the syslog using local0, I also tried using ipmon -DSa -L local7 as well,
still outputs to local0.  It was easy enough to modify my syslog.conf to output
the local0.* as well as security.* to the /var/log/security file.  However it
would be greatly appreciated if someone that actually understands what's
going on here could get this info updated.  It would have saved me some time, as
well as I am sure some other people in the future.  Of course it's always
possible I am missing something simple here that is causing this discrepancy,
please do inform me if I did.  It's probably worth mentioning that I am
starting ipmon using the rc.conf file with ipmon_enable="YES" and
ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script actually
changes the default behavior of ipmon in some way, though I didn't see
anything in it that should.  And ps wwaux | grep ipmon does display the process
running with the flags exactly as stated on the ipmon_flags line of the
/etc/rc.conf file.

     Dean Weimer
     Network Administrator
     Orscheln Management Co

freebsd-questions at freebsd.org mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"


More information about the freebsd-questions mailing list