IP filter logging

In my previous post, I described how to setup IP filter to protect a desktop workstation. The IP filter policy allowed SSH connections, and dropped and logged all other inbound traffic. When a packet is dropped and logged, IP filter writes the packet headers to the /dev/ipl pseudo-device. This device is monitored by ipmon(1m), which is started by the IP filter initialization scripts. When ipmon(1m) detects that a new entry has been logged to /dev/ipl, the message is routed to syslogd’s local0 facility ( you can also configure IP filter to log directly to a file), using one of several priorities listed in the ipmon(1m) manual page:

LOG_INFO Packets logged using the log keyword as the action rather than pass or block.

LOG_NOTICE Packets logged that are also passed.

LOG_WARNING Packets logged that are also blocked.

LOG_ERR Packets that have been logged and that can be con- sidered “short”.

To get my IP filter installation to log everything, I added the following entry to /etc/syslog.conf:

$ grep local0 /etc/syslog.conf
local0.debug /var/log/ipflog

Once the entry is added to the syslog.conf configuration file (remember to use tabs to delimit the entries), syslogd needs to be restarted. This can be accomplished with the svcadm(1m) utility:

$ /usr/sbin/svcadm restart system-log

When traffic is blocked, you should see an entry in “/var/log/ipflog”:

$ ls -la /var/log/ipflog
-rw-r–r– 1 root root 33765 Mar 13 21:08 /var/log/ipflog

I recommend adding /var/log/ipflog to /etc/logadm.conf (or newsyslog.conf if you are using the BSD Operating Systems). This will ensure that your logs get rotated periodically ( on busy MSFT networks, it will grow by leaps and bounds!).

This article was posted by Matty on 2005-03-13 23:27:00 -0400 -0400