IPFilter section in Handbook needs updating
I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that the ipmon and syslog information under the ipfilter section of the handbook is incorrect. The section reads: -snip- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called "facility" and "level". IPMON in -Ds mode uses security as the "facility" name. All IPMON logged data goes to security The following levels can be used to further segregate the logged data if desired: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the /etc/syslog.conf file. The syslog.conf file offers considerable flexibility in how syslog will deal with system messages issued by software applications like IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the syslog task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you just created above. -snip- In trying to configure this I found that ipmon -Dsa doesn't log to security, but logs to local0 instead. Reading the man page for ipmon does in fact state this. However it also list the -L option as being able to change this default behavior, I tried ipmon -DSa -L security, it excepts this, but doesn't actually change the logging to use security. It still only outputs to the syslog using local0, I also tried using ipmon -DSa -L local7 as well, still outputs to local0. It was easy enough to modify my syslog.conf to output the local0.* as well as security.* to the /var/log/security file. However it would be greatly appreciated if someone that actually understands what's going on here could get this info updated. It would have saved me some time, as well as I am sure some other people in the future. Of course it's always possible I am missing something simple here that is causing this discrepancy, please do inform me if I did. It's probably worth mentioning that I am starting ipmon using the rc.conf file with ipmon_enable="YES" and ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script actually changes the default behavior of ipmon in some way, though I didn't see anything in it that should. And ps wwaux | grep ipmon does display the process running with the flags exactly as stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, Dean Weimer Network Administrator Orscheln Management Co ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFilter section in Handbook needs updating
On Dec 5, 2008, at 7:07 AM, Dean Weimer wrote: I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that the ipmon and syslog information under the ipfilter section of the handbook is incorrect. A couple of years back, I submitted a one liner to some email address of a documentation maintainer. I just looked on the site and couldn't find this address. Instead, it said if you have a change, it suggested putting in a PR. It sounds like it you should create a diff of the current wording and your recommended change. Here is where I was looking: http://www.freebsd.org/docproj/submitting.html The section reads: -snip- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called "facility" and "level". IPMON in -Ds mode uses security as the "facility" name. All IPMON logged data goes to security The following levels can be used to further segregate the logged data if desired: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the / etc/syslog.conf file. The syslog.conf file offers considerable flexibility in how syslog will deal with system messages issued by software applications like IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the syslog task into re-reading /etc/syslog.conf by running /etc/ rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you just created above. -snip- In trying to configure this I found that ipmon -Dsa doesn't log to security, but logs to local0 instead. Reading the man page for ipmon does in fact state this. However it also list the -L option as being able to change this default behavior, I tried ipmon -DSa - L security, it excepts this, but doesn't actually change the logging to use security. It still only outputs to the syslog using local0, I also tried using ipmon -DSa -L local7 as well, still outputs to local0. It was easy enough to modify my syslog.conf to output the local0.* as well as security.* to the /var/log/security file. However it would be greatly appreciated if someone that actually understands what's going on here could get this info updated. It would have saved me some time, as well as I am sure some other people in the future. Of course it's always possible I am missing something simple here that is causing this discrepancy, please do inform me if I did. It's probably worth mentioning that I am starting ipmon using the rc.conf file with ipmon_enable="YES" and ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script actually changes the default behavior of ipmon in some way, though I didn't see anything in it that should. And ps wwaux | grep ipmon does display the process running with the flags exactly as stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, Dean Weimer Network Administrator Orscheln Management Co ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions- [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFilter section in Handbook needs updating
And incomplete yes i agree that the doc does need to be updated and examples (more) need to be added. --- On Fri, 12/5/08, Dean Weimer <[EMAIL PROTECTED]> wrote: From: Dean Weimer <[EMAIL PROTECTED]> Subject: IPFilter section in Handbook needs updating To: freebsd-questions@freebsd.org Date: Friday, December 5, 2008, 10:07 AM I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that the ipmon and syslog information under the ipfilter section of the handbook is incorrect. The section reads: -snip- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called "facility" and "level". IPMON in -Ds mode uses security as the "facility" name. All IPMON logged data goes to security The following levels can be used to further segregate the logged data if desired: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the /etc/syslog.conf file. The syslog.conf file offers considerable flexibility in how syslog will deal with system messages issued by software applications like IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the syslog task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you just created above. -snip- In trying to configure this I found that ipmon -Dsa doesn't log to security, but logs to local0 instead. Reading the man page for ipmon does in fact state this. However it also list the -L option as being able to change this default behavior, I tried ipmon -DSa -L security, it excepts this, but doesn't actually change the logging to use security. It still only outputs to the syslog using local0, I also tried using ipmon -DSa -L local7 as well, still outputs to local0. It was easy enough to modify my syslog.conf to output the local0.* as well as security.* to the /var/log/security file. However it would be greatly appreciated if someone that actually understands what's going on here could get this info updated. It would have saved me some time, as well as I am sure some other people in the future. Of course it's always possible I am missing something simple here that is causing this discrepancy, please do inform me if I did. It's probably worth mentioning that I am starting ipmon using the rc.conf file with ipmon_enable="YES" and ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script actually changes the default behavior of ipmon in some way, though I didn't see anything in it that should. And ps wwaux | grep ipmon does display the process running with the flags exactly as stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, Dean Weimer Network Administrator Orscheln Management Co ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFilter section in Handbook needs updating
G magicman wrote: And incomplete yes i agree that the doc does need to be updated and examples (more) need to be added. --- On Fri, 12/5/08, Dean Weimer <[EMAIL PROTECTED]> wrote: From: Dean Weimer <[EMAIL PROTECTED]> Subject: IPFilter section in Handbook needs updating To: freebsd-questions@freebsd.org Date: Friday, December 5, 2008, 10:07 AM I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed that the ipmon and syslog information under the ipfilter section of the handbook is incorrect. The section reads: -snip- 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called "facility" and "level". IPMON in -Ds mode uses security as the "facility" name. All IPMON logged data goes to security The following levels can be used to further segregate the logged data if desired: LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block. LOG_NOTICE - packets logged which are also passed LOG_WARNING - packets logged which are also blocked LOG_ERR - packets which have been logged and which can be considered short To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to create the file. The following command will do that: # touch /var/log/ipfilter.log The syslog function is controlled by definition statements in the /etc/syslog.conf file. The syslog.conf file offers considerable flexibility in how syslog will deal with system messages issued by software applications like IPF. Add the following statement to /etc/syslog.conf: security.* /var/log/ipfilter.log The security.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the syslog task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload Do not forget to change /etc/newsyslog.conf to rotate the new log you just created above. -snip- In trying to configure this I found that ipmon -Dsa doesn't log to security, but logs to local0 instead. Reading the man page for ipmon does in fact state this. However it also list the -L option as being able to change this default behavior, I tried ipmon -DSa -L security, it excepts this, but doesn't actually change the logging to use security. It still only outputs to the syslog using local0, I also tried using ipmon -DSa -L local7 as well, still outputs to local0. It was easy enough to modify my syslog.conf to output the local0.* as well as security.* to the /var/log/security file. However it would be greatly appreciated if someone that actually understands what's going on here could get this info updated. It would have saved me some time, as well as I am sure some other people in the future. Of course it's always possible I am missing something simple here that is causing this discrepancy, please do inform me if I did. It's probably worth mentioning that I am starting ipmon using the rc.conf file with ipmon_enable="YES" and ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script actually changes the default behavior of ipmon in some way, though I didn't see anything in it that should. And ps wwaux | grep ipmon does display the process running with the flags exactly as stated on the ipmon_flags line of the /etc/rc.conf file. Thanks, Dean Weimer Network Administrator Orscheln Management Co I wrote that whole firewall handbook section. How is the following for complete replacement of the 31.5.7 IPMON Logging section? 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called ‘facility’ and ‘level’. IPMON in –Ds mode uses local0 as the ‘facility’ name. All IPMON logged data goes to local0. You have to manually configure the /etc/syslog.conf file by adding the statements to direct the Local0 'facility' to the log file name recording the log records. FBSD keeps all of its syslog files in /var/log/ directory. First allocate the new named log file for the IPFMON logged data. touch /var/log/ipfilter.log # will allocate the file The syslog function is controlled by definition statements in the /etc/syslog.conf file. You will have to edit the /etc/syslog.conf file. Add the following statement to syslog.conf: local0.* /var/log/ipfilter.log The local0.* means to write all the logged messages to the coded file location. To activate the changes to /etc/syslog.conf you can reboot or bump the syslog task into re-reading /etc/syslog.conf by kill –HUP pid. You get the pid (IE: process number) by listing the tasks with the ps ax command. Find syslog in the display and the pid number is the number in the left column. Don’t forget to change /etc/newsyslog.conf to rotate the new named IPFILTER log you just created above. _
RE: IPFilter section in Handbook needs updating
First, thanks for your work on writing the section in the handbook, its greatly appreciated. The updates about where ipmon logging to local0 looks good. Not sure whether or not you want to change the bumping the syslogd using the ps and kill commands as /etc/rc.d/syslogd reload does work, and would be easier for someone that is just learning how everything works. Thanks, Dean Weimer Network Administrator Orscheln Management Co -Original Message- From: Fbsd1 [mailto:[EMAIL PROTECTED] Sent: Saturday, December 06, 2008 9:05 PM To: [EMAIL PROTECTED] Cc: freebsd-questions@freebsd.org; Dean Weimer Subject: Re: IPFilter section in Handbook needs updating G magicman wrote: > And incomplete yes i agree that the doc does need to be updated and examples > (more) need to be added. > > --- On Fri, 12/5/08, Dean Weimer <[EMAIL PROTECTED]> wrote: > From: Dean Weimer <[EMAIL PROTECTED]> > Subject: IPFilter section in Handbook needs updating > To: freebsd-questions@freebsd.org > Date: Friday, December 5, 2008, 10:07 AM > > I was just setting up ipfilter and ipmon on a FreeBSD 7 server, and noticed > that > the ipmon and syslog information under the ipfilter section of the handbook is > incorrect. > > The section reads: > -snip- > 31.5.7 IPMON Logging > Syslogd uses its own special method for segregation of log data. It uses > special groupings called "facility" and "level". IPMON in > -Ds mode uses security as the "facility" name. All IPMON logged data > goes to security The following levels can be used to further segregate the > logged data if desired: > LOG_INFO - packets logged using the "log" keyword as the action > rather than pass or block. > LOG_NOTICE - packets logged which are also passed > LOG_WARNING - packets logged which are also blocked > LOG_ERR - packets which have been logged and which can be considered short > To setup IPFILTER to log all data to /var/log/ipfilter.log, you will need to > create the file. The following command will do that: > # touch /var/log/ipfilter.log > The syslog function is controlled by definition statements in the > /etc/syslog.conf file. The syslog.conf file offers considerable flexibility in > how syslog will deal with system messages issued by software applications like > IPF. > Add the following statement to /etc/syslog.conf: > security.* /var/log/ipfilter.log > The security.* means to write all the logged messages to the coded file > location. > To activate the changes to /etc/syslog.conf you can reboot or bump the syslog > task into re-reading /etc/syslog.conf by running /etc/rc.d/syslogd reload > Do not forget to change /etc/newsyslog.conf to rotate the new log you just > created above. > -snip- > > In trying to configure this I found that ipmon -Dsa doesn't log to > security, but logs to local0 instead. Reading the man page for ipmon does in > fact state this. However it also list the -L option as being able to change > this default behavior, I tried ipmon -DSa -L security, it excepts this, but > doesn't actually change the logging to use security. It still only outputs > to the syslog using local0, I also tried using ipmon -DSa -L local7 as well, > still outputs to local0. It was easy enough to modify my syslog.conf to > output > the local0.* as well as security.* to the /var/log/security file. However it > would be greatly appreciated if someone that actually understands what's > going on here could get this info updated. It would have saved me some time, > as > well as I am sure some other people in the future. Of course it's always > possible I am missing something simple here that is causing this discrepancy, > please do inform me if I did. It's probably worth mentioning that I am > starting ipmon using the rc.conf file with ipmon_enable="YES" and > ipmon_flags="-DSa", just in case the /etc/rc.d/ipmon script actually > changes the default behavior of ipmon in some way, though I didn't see > anything in it that should. And ps wwaux | grep ipmon does display the > process > running with the flags exactly as stated on the ipmon_flags line of the > /etc/rc.conf file. > > Thanks, > Dean Weimer > Network Administrator > Orscheln Management Co > I wrote that whole firewall handbook section. How is the following for complete replacement of the 31.5.7 IPMON Logging section? 31.5.7 IPMON Logging Syslogd uses its own special method for segregation of log data. It uses special groupings called 'facility' and 'level'. IPMON in -Ds mode uses local0 as the 'facility' name. All IPMON logged data goes to local0. You have to manually configure the /et
