netbsd-help: Re: ipfilter logging without ipmon

Subject: Re: ipfilter logging without ipmon
To: Conrad T. Pino <Conrad@Pino.com>
From: Dancho Penev <dpenev@mail.bg>
List: netbsd-help
Date: 01/02/2003 13:20:48
Hi Conrad,

On Wed, Jan 01, 2003 at 01:47:57PM -0800, Conrad T. Pino wrote:
>From: "Conrad T. Pino" <Conrad@Pino.com>
>To: "'Dancho Penev'" <dpenev@mail.bg>
>Cc: <netbsd-help@NetBSD.ORG>
>Subject: RE: ipfilter logging without ipmon
>Date: Wed, 1 Jan 2003 13:47:57 -0800
>
>Hi Dancho,
>
>Thank you for responding.  Your efforts are appreciated.
>
>> -----Original Message-----
>> From: Dancho Penev [mailto:dpenev@mail.bg]
>> Sent: Wednesday, January 01, 2003 07:49
>> To: Conrad T. Pino
>> Cc: netbsd-help@NetBSD.ORG
>> Subject: Re: ipfilter logging without ipmon
>> 
>> >I wanted to use "ipmon -s -D" to log blocked packets to 
>> >"syslogd" but had no success.  Nothing appeared in /var/log 
>> >and "ipmon" kept writing to the console.  I'll take any
>> >suggestions about this problem.
>> 
>> Did you change /etc/syslog.conf to log local0.* messages in
>> separate file ? In my syslog.conf I have:
>> 
>> local0.*			/var/log/ipfilter
>
>Yes, I added a similar line at the END of the file.  I also modified this
>line near the top:
>
>*.info;auth,authpriv,cron,ftp,kern,local0,lpr,mail.none /var/log/messages
>                                   ^^^^^^^
>which I understand means don't log local0 to the messages log.
>
>Your reply suggests that I had an error in my setup.  I created a new
>syslog.conf file with "local0..." line near the top just below the
>"kern.debug /var/log/messages" line and everything seems to be working.
>
>> >In the mean time, can anyone shed some light on what happens 
>> >if there is no "ipmon" process running to consume the output generated
>> >by "ipfilter"?
>
>I ran my system with ipfilter logging but without ipmon for a day.  It
>seems the log buffer fills to about ~40 log entries and stops accepting
>additional entries.

The size of IP log device (man 4 ipl) buffer is IPLLOGSIZE bytes (default
value is 8192, which is defined in /usr/src/sys/netinet/ip_fil.h in
NetBSD 1.5.2, but I don't know is it safe to increase it), so when there
isn't ipmon or other program to read from it ipl will not log more than
IPLLOGSIZE bytes of packet headers.

>
>Thanks again,
>
>Conrad

-- 
Regards,
Dancho Penev