Re: ipfilter question
On 12/13/05, Elmer Rivera [EMAIL PROTECTED] wrote: hello, Hello, my freebsd box is already setup and followed some of the docs on setting up the firewall using ipfilter. question on logging. setup /var/log/ipfilter.log as my log file. How/where did you set this up? modified syslog.conf. How did you modified this? its working now unfortunately, its loggin on that file AND to my messages log file. is it possible to log ipfilter log only to my log file? Yes, it is possible. Here's my setup: /etc/rc.conf ipmon_enable=YES ipmon_flags=-Dns /etc/syslog.conf security.* /var/log/ipfilter.log Make sure you don't have any other security.* facility specified in /etc/syslog.conf thanks -- Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph Hope this helps, -- Pietro Cerutti [EMAIL PROTECTED] Beansidhe - SwiSS Death / Thrash Metal www.beansidhe.ch Windows: Where do you want to go today? Linux: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ipfilter question
In FBSD 4.11 and older, ipfilter logged to local0. Then in 5.4 it was changed to security. Now in 6.0 it has reverted back to logging to local0. The /etc/syslog.conf file is where you define the log files. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Pietro Cerutti Sent: Tuesday, December 13, 2005 7:39 AM To: Elmer Rivera; FreeBSD Subject: Re: ipfilter question On 12/13/05, Elmer Rivera [EMAIL PROTECTED] wrote: hello, Hello, my freebsd box is already setup and followed some of the docs on setting up the firewall using ipfilter. question on logging. setup /var/log/ipfilter.log as my log file. How/where did you set this up? modified syslog.conf. How did you modified this? its working now unfortunately, its loggin on that file AND to my messages log file. is it possible to log ipfilter log only to my log file? Yes, it is possible. Here's my setup: /etc/rc.conf ipmon_enable=YES ipmon_flags=-Dns /etc/syslog.conf security.* /var/log/ipfilter.log Make sure you don't have any other security.* facility specified in /etc/syslog.conf thanks -- Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph Hope this helps, -- Pietro Cerutti [EMAIL PROTECTED] Beansidhe - SwiSS Death / Thrash Metal www.beansidhe.ch Windows: Where do you want to go today? Linux: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfilter question
#uname -a FreeBSD hcggw1.hcg.com.ph 5.4-RELEASE-p8 FreeBSD 5.4-RELEASE-p8 #0: Sat Dec 10 09:49:16 PHT 2005 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/HCGGW1 i386 setup /var/log/ipfilter.log as my log file. How/where did you set this up? # touch /var/log/ipfilter.log modified syslog.conf. How did you modified this? # vi /etc/syslog.conf commented out old security.* and inserted a new line pointing to the file above. -- # Consult the syslog.conf(5) manpage. *.err;kern.warning;auth.notice;mail.crit/dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/ipfilter.log #security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog -- its working now unfortunately, its loggin on that file AND to my messages log file. is it possible to log ipfilter log only to my log file? Yes, it is possible. # cat /etc/rc.conf -- ipfilter_enable=YES ipnat_enable=YES ipmon_enable=YES ipmon_flags=-Dsn -- Here's my setup: /etc/rc.conf ipmon_enable=YES ipmon_flags=-Dns /etc/syslog.conf security.* /var/log/ipfilter.log Make sure you don't have any other security.* facility specified in /etc/syslog.conf yes, there is no other security.* facility, actually i got it working to log on my file (/var/log/ipfilter.log) but it also logs on /var/log/messages. I only want to log on my file. thanks -- Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph Hope this helps, -- Pietro Cerutti [EMAIL PROTECTED] Beansidhe - SwiSS Death / Thrash Metal www.beansidhe.ch Windows: Where do you want to go today? Linux: Where do you want to go tomorrow? FreeBSD: Are you guys coming or what? regards -- Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfilter question
Here's my setup: /etc/rc.conf ipmon_enable=YES ipmon_flags=-Dns /etc/syslog.conf security.* /var/log/ipfilter.log Make sure you don't have any other security.* facility specified in /etc/syslog.conf yes, there is no other security.* facility, actually i got it working to log on my file (/var/log/ipfilter.log) but it also logs on /var/log/messages. I only want to log on my file. thanks -- Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph I have the problem that ipmon logs to /var/log/messages and nothing goes to /var/log/ipf.log. Even after using the info in this thread. I am using local0 as was suggested for FreeBSD 6.0. Earlier I was using security.* which didn't work either. I suppose that at the least, I need to remove something from the /var/log/messages line. Here is my syslog.conf: *.err;kern.warning;auth.notice;mail.crit/dev/console *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages local0.*/var/log/ipf.log auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info/var/log/lpd-errs ftp.info/var/log/xferlog cron.* /var/log/cron *.=debug/var/log/debug.log Thanks, Rob. -- -- http://home.comcast.net/~europa100 A SETI-like Search for Intelligent Life in Central Pa. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfilter question
in message [EMAIL PROTECTED], wrote Rob Lytle thusly... Here's my setup: ... in /etc/syslog.conf yes, there is no other security.* facility, actually i got it working Please keep the attribution attribute the respective authors. I have the problem that ipmon logs to /var/log/messages and nothing goes to /var/log/ipf.log. Even after using the info in this thread. I am using local0 as was suggested for FreeBSD 6.0. Earlier I was using security.* which didn't work either. I suppose that at the least, I need to remove something from the /var/log/messages line. ... *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages local0.* /var/log/ipf.log Like authpriv.none to stop auth messages going into /var/log/messages, you will need to add local0.none (or replace local0 w/ whatever the actual facility is used) after *.notice;. According to ipmon(8) on 5.4, passed logged packets are logged w/ level of 'notice'. So you should be seeing only the passed packets in '/var/log/messages'. Rest of the messages, will go wherever (local0|security|*).(info|warn|err) messages go. Or, you could ... - give a file name to ipmon(8) to log messages in - remove the -s option to not to log via syslogd(8) - put the ipmon facility.none, in /etc/syslog.cong, to avoid other files receiving ipf messages. - adjust /etc/newsyslog.conf to properly rotate the ipmon log files. Don't forget to read up on syslog.conf(5), newsyslog.conf(5), and ipmon(8) in any case. - Parv -- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfilter question
Got it working. forgot to add security.none after *.notice; Thanks guys... -- Elmer Rivera, http://www.vizcayano.com, http://youand.i.ph ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: IPFILTER Question
Can you post the rules he is using? Perhaps you'll need something like: passout quick on xl0 proto tcp from any to any keep state keep frags in his ruleset! Regards, Ivailo Tanusheff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nevins, Peter Sent: Tuesday, April 01, 2003 4:01 PM To: '[EMAIL PROTECTED]' Subject: IPFILTER Question Hello. I'm a firewall admin and have run into a question regarding your OS. A client is running IPFILTER and cannot send mail to us here. We're running a Raptor Firewall for NT (yes, NT). He sends a SYN and my system responds with an ACK that is more on the lines of 1 million in length over the expected 1024. His system drops the incoming packet from me thus no email transfer. Having no working knowledge of IPFILTER, I don't know if it's on my end or his. Do you have any previous problems noted where Raptor Firewalls are the common denominator? Thanks for any assistance you can provide in this. I have a TCPDUMP if you would like to see it or know of anyone who could help. Pete ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFILTER Question
On Tue, 1 Apr 2003, Nevins, Peter wrote: Hello. I'm a firewall admin and have run into a question regarding your OS. A client is running IPFILTER and cannot send mail to us here. We're running a Raptor Firewall for NT (yes, NT). He sends a SYN and my system responds with an ACK that is more on the lines of 1 million in length over the expected 1024. His system drops the incoming packet from me thus no email transfer. Having no working knowledge of IPFILTER, I don't know if it's on my end or his. Do you have any previous problems noted where Raptor Firewalls are the common denominator? Thanks for any assistance you can provide in this. I have a TCPDUMP if you would like to see it or know of anyone who could help. Pete We had the same problem. That Raptor Firewall SMTP proxy has some sort of spoofing protection which causes this. You can get around it by adding the following rule to IPFilter. Place this before any pass rules, and it should work. block return-rst in on xl0 proto tcp from any to any Marco Radzinschi [EMAIL PROTECTED] Among those who dislike oppression are many who like to oppress. - Napoleon Bonaparte ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]