Re: problems with ipfilter on 5.1-RELEASE

From: Crist J. Clark (cristjc_at_comcast.net)
Date: 08/12/03

  • Next message: Mike Hoskins: "Re: realpath(3) et al"
    Date: Mon, 11 Aug 2003 15:40:54 -0700
    To: Redmond Militante <r-militante@northwestern.edu>
    
    

    On Fri, Aug 08, 2003 at 01:41:18AM -0500, Redmond Militante wrote:
    > hi all
    >
    > i'm trying to get ipfilter set up on my new 5.1-RELEASE box. ipfilter
    > seems to be working fine. i just have a couple of issues that are
    > probably not very serious...
    >
    > one thing is that during network startup at boot, i get the message
    > IPFilter: already initialized
    > repeated 4 times.
    >
    > i think i have everything configured properly
    >
    > my kernel config looks like
    >
    > options IPFILTER
    > options IPFILTER_LOG
    > options IPFILTER_DEFAULT_BLOCK
    >
    > my /etc/rc.conf looks like
    >
    > ipfilter_enable="YES"
    > ipfilter_flags=""
    > ipfilter_rules="/etc/ipfilter.rules"
    > ipmon_enable="YES"
    > ipmon_flags="-Dsvn"

    IPFilter may be initialized when other network devices and services
    are started and configured. This might be what you see. Can you
    provide more of your rc.conf? At the very least, the other
    networking-related variables.

    > the other problem i have is that: it now seems that ipmon is logging to
    > /var/log/messages. i've set up ipfilter successfully on many freebsd
    > 4x boxes, but this is the first time i've tried to set it up on 5x.
    >
    > in my /etc/syslog.conf i have
    >
    > local0.* /var/log/firewall_logs
    > *.notice;local0.none;authpriv.none;kern.debug;lpr.info;mail.crit;news.err
    > /var/log/messages

    The default facility for IPFilter was changed to LOG_SECURITY,

      cvs diff -rRELENG_4 -rRELENG_5_1 src/contrib/ipfilter/Makefile
      Index: src/contrib/ipfilter/Makefile
      ===================================================================
      RCS file: /ncvs/src/contrib/ipfilter/Makefile,v
      retrieving revision 1.1.1.8.2.6
      retrieving revision 1.2
      diff -u -r1.1.1.8.2.6 -r1.2
      --- src/contrib/ipfilter/Makefile 1 Mar 2003 03:55:50 -0000 1.1.1.8.2.6
      +++ src/contrib/ipfilter/Makefile 5 Apr 2003 09:25:19 -0000 1.2
      @@ -3,6 +3,7 @@
       #
       # See the IPFILTER.LICENCE file for details on licencing.
       #
      +# $FreeBSD: src/contrib/ipfilter/Makefile,v 1.2 2003/04/05 09:25:19 darrenr Exp $
       # $Id: Makefile,v 2.11.2.15 2002/12/02 04:22:56 darrenr Exp $
       #
       BINDEST=/usr/local/bin
      @@ -29,7 +30,7 @@
       #
       # The facility you wish to log messages from ipmon to syslogd with.
       #
      -LOGFAC=-DLOGFAC=LOG_LOCAL0
      +LOGFAC=-DLOGFAC=LOG_SECURITY
     
       #
       # Uncomment the next 3 lines if you want to view the state table a la top(1)

    You might want to,

      --- /export/freebsd/RELENG_5_1/src/etc/syslog.conf Wed Apr 23 06:08:31 2003
      +++ syslog.conf Mon Aug 11 15:37:54 2003
      @@ -6,7 +6,7 @@
       # may want to use only tabs as field separators here.
       # Consult the syslog.conf(5) manpage.
       *.err;kern.debug;auth.notice;mail.crit /dev/console
      -*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
      +*.notice;authpriv,security.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
       security.* /var/log/security
       auth.info;authpriv.info /var/log/auth.log
       mail.info /var/log/maillog

    If you wish to stop messages to /var/log/messages. They should already
    be collecting in /var/log/security. You may wish to change that to
    firewall_logs if the filename is important to you.

    -- 
    Crist J. Clark                     |     cjclark@alum.mit.edu
                                       |     cjclark@jhu.edu
    http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Mike Hoskins: "Re: realpath(3) et al"

    Relevant Pages

    • Re: Second network interfaces & ipf
      ... I want to retire my SPARCstation 20 firewall and run ipfilter ... Maybe you have a big house and lots of guest rooms with a big network and lots of visitors? ... Edit the IP filter /etc/ipf/ipf.conf i.e. ...
      (comp.sys.sun.admin)
    • SUMMARY:IP filtering
      ... Most of them suggested me to use ipfilter or SunScreen, ... I have 2 box, A and B running Solaris9, on the same switch and I'd like ... A and B should IP communicate with other computers on the network. ...
      (SunManagers)
    • Re: ipfilter allowing samba
      ... You need to allow exceptions in ipfilter for ports 137 to 139. ... Where 192.168.0.0 is your network and 192.168.0.1 is your server IP. ...
      (freebsd-questions)
    • IPSec and IPFilter - external interface secure?
      ... allow access for traffic from the other respective subnet on the _external_ ... interface of each box, in ipfilter. ... gain access to either network by faking one of the reserved IPs from the other ... the IPSec SPD pick up all traffic from that range and prevent unencrypted ...
      (comp.unix.bsd.freebsd.misc)
    • RE: help for a poor windoze luser?
      ... > to your kernel config, ... See src/UPDATING, entry 20030925: ... Configuring a system to use IPFILTER now requires that PFIL_HOOKS ...
      (freebsd-questions)