Re: Logging and IPFW
What does 'ipfw list' show? - Original Message - From: Wayne Pascoe [EMAIL PROTECTED] Subject: Logging and IPFW Hi all, We're moving from ipfilter to ipfw. Since we no longer run multiple platforms, the benefits that we used to derive from ipfilter are declining. Add to this the problems we've had when running it as a module on 5.x (as opposed to compiled into the kernel), and we've decided to move to ipfw. I'm trying to setup logging with IPFW. I've not compiled IPFW into my kernel, but am instead using the ipfw.ko module. I have the following sysctl variables set: net.inet.ip.fw.verbose=1 net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 However, I am still not seeing anything in /var/log/messages when I portscan the machine. The firewall appears to be working, as we receive nothing back on the portscanning machine, but I would like logging enabled. I have the following in /etc/rc.conf firewall_enable=YES firewall_script=/etc/rc.firewall firewall_type=CLIENT firewall_quiet=NO firewall_logging=YES The only place I can see firewall_logging being used is in /etc/rc.conf and that is being used to set a sysctl variable : echo 'Firewall logging=YES' sysctl net.inet.ip.fw.verbose=1 /dev/null any ideas on what I'm doing wrong here ? thanks in advance , -- Wayne Pascoe Look buddy, doesn't work is a strong statement. Does it sit on the couch all day? Is it making faces at you? Does it want more money? Please be specific! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Logging and IPFW
On Tue, Sep 09, 2003 at 12:34:47PM +0100, Wayne Pascoe wrote: However, I am still not seeing anything in /var/log/messages when I portscan the machine. The firewall appears to be working, as we receive nothing back on the portscanning machine, but I would like logging enabled. Have you added the 'log' keyword to your rules? e.g: # RejectLog all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup The log entries will be written to /var/log/security. -- John Birrell ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Logging and IPFW
On Tue, Sep 09, 2003 at 09:42:14PM +1000, John Birrell wrote: On Tue, Sep 09, 2003 at 12:34:47PM +0100, Wayne Pascoe wrote: However, I am still not seeing anything in /var/log/messages when I portscan the machine. The firewall appears to be working, as we receive nothing back on the portscanning machine, but I would like logging enabled. Have you added the 'log' keyword to your rules? e.g: # RejectLog all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup The log entries will be written to /var/log/security. I tried changing the rc.firewall script so that the last line in the CLIENT section read ${fwcmd} add 65535 deny ip from any to any log but ipfw list still just showd 65535 deny ip from any to any log where should that rule with the log go in the list ? Before the last line ? Should I add a rule before 65535 that logs things ? Thanks, -- Wayne Pascoe 'tis far easier to get forgiveness than it is to get permission - probably someone famous, but more often, my Dad. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Logging and IPFW
On Tue, Sep 09, 2003 at 12:34:47PM +0100, Wayne Pascoe wrote: I'm trying to setup logging with IPFW. I've not compiled IPFW into my kernel, but am instead using the ipfw.ko module. I have the following sysctl variables set: net.inet.ip.fw.verbose=1 net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 However, I am still not seeing anything in /var/log/messages when I portscan the machine. The firewall appears to be working, as we receive nothing back on the portscanning machine, but I would like logging enabled. Try /var/log/security or /var/log/all.log if you've enabled the all.log by following the instructions in /etc/syslog.conf. Remember too that ipfw(8) will only log a certain number of hits against a particular rule, which is a sensible measure designed to prevent a DoS against your machine by filling up the disk space logging a great flood of similar packets. That's controlled by the IPFIREWALL_VERBOSE_LIMIT option in your kernel config, or by the net.inet.ip.fw.verbose_limit sysctl. I tend to think that the example limit of 128 is too low, and bump that up to 1024. Remember to run 'ipfw resetlog' at regular intervals to re-enable logging on any rule that has hit the limit. Just slap together a /etc/daily.local script that needn't be any more complicated than this: #!/bin/sh PATH=/usr/bin:/bin:/sbin ; export PATH ipfw resetlog Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK pgp0.pgp Description: PGP signature
Re: Logging and IPFW
On Tue, Sep 09, 2003 at 01:22:18PM +0100, Wayne Pascoe wrote: I tried changing the rc.firewall script so that the last line in the CLIENT section read ${fwcmd} add 65535 deny ip from any to any log but ipfw list still just showd 65535 deny ip from any to any log where should that rule with the log go in the list ? Before the last line ? Should I add a rule before 65535 that logs things ? The first rule that matches is executed, so if you want it to log you have to add 'log' to that line (and every other line you want to log). You will soon find that logging can create huge files and that it is best use sparingly. -- John Birrell ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Logging and IPFW
At 09:46 PM 9.9.2003 +0800, [EMAIL PROTECTED] wrote: just edit the rules concerned in rc.firewall to add the word log to rules you want logged. e.g. -- ${fwcmd} add pass log tcp from any to ${oip} 80 setup and tail the /var/log/security instead of messages. ...and, for its own ipfw log, put this in your syslog.conf, !ipfw *.* /var/log/ipfw.log and then touch the ipfw.log file in /var/log and then restart syslogd ...then tail that file, or send yourself emails of the log Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]