IPFILTER rule error

Erik Norgaard norgaard at locolomo.org
Tue Feb 14 07:14:09 PST 2006 

Maxim Vetrov wrote:
> Hi,
> kernel conf:
> -------------------------------------------------------
> ...
> options        IPFILTER
> options        IPFILTER_LOG
> #options        IPFILTER_DEFAULT_BLOCK
> #options        IPSTEALTH
> ...
> -------------------------------------------------------

The rc scripts should load these modules if they are not compiled with 
the kernel, in that case they would show up with kldstat.

Try use kldstat and sysctl -a to see what's in your kernel, grep for ipf.

> services:
> -------------------------------------------------------
> ...
> sunrpc          111/tcp    rpcbind      #SUN Remote Procedure Call
> sunrpc          111/udp    rpcbind      #SUN Remote Procedure Call
> ...
> -------------------------------------------------------
> 
> ipf.rules:
> -------------------------------------------------------
> block in log on rl0 all head 20
> block out log on rl0 all head 25
> 
> 
> pass in quick on rl0 \
>  proto tcp/udp from any to any port = sunrpc keep state group 20
> pass in quick on rl0 \
>  proto tcp/udp from any to any port = 717 keep state group 20
> pass out quick on rl0 \
>  proto udp from any to any port = 111 keep state group 20
> --------------------------------------------------------
> 
> Steps to load the rules:
>> ipf -Fa
>> ipf -f /etc/ipf.rules
> 1:ioctl (add/insert rule): No such process

1st: IIRC, the number in the error line indicates the line the error 
occurred in - not sure though. That would be your first rule. I don't 
know if you posted the whole ruleset or if you cut out what seemed 
irrelevant to keep the post short.

2nd: Reading the ipf-howto I see no examples where port names are used, 
try using the port number to eliminate that posibility.

> And there is one more problem - despite that I have packet logging
> enabled by default (-Ds) through syslogd, log is empty!
> 
> syslog.conf:
> --------------------------------------------------------
> ...
> security.*      /var/log/security
> ...
> --------------------------------------------------------
> That file exists and have root rw permissions.

If you want to log to a separate file, why not let ipmon do that directly?

    # ipmon -D /var/log/security

Secondly, the empty log may not be that surprising in the first place if 
your ruleset is not loaded correctly.

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9

More information about the freebsd-questions mailing list