Translation

(itstool) path: sect2/para
Logging provides the ability to review, after the fact, information such as which packets were dropped, what addresses they came from, and where they were going. This information is useful in tracking down attackers.
0/2160
Context English Turkish (tr_TR) State
<primary><application>IPFILTER</application></primary> <secondary>statistics</secondary>
<application>IPF</application> includes <citerefentry><refentrytitle>ipfstat</refentrytitle><manvolnum>8</manvolnum></citerefentry> which can be used to retrieve and display statistics which are gathered as packets match rules as they go through the firewall. Statistics are accumulated since the firewall was last started or since the last time they were reset to zero using <command>ipf -Z</command>.
The default <command>ipfstat</command> output looks like this:
input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
input packets logged: blocked 99286 passed 0
output packets logged: blocked 0 passed 0
packets logged: input 0 output 0
log failures: input 3898 output 0
fragment state(in): kept 0 lost 0
fragment state(out): kept 0 lost 0
packet state(in): kept 169364 lost 0
packet state(out): kept 431395 lost 0
ICMP replies: 0 TCP RSTs sent: 0
Result cache hits(in): 1215208 (out): 1098963
IN Pullups succeeded: 2 failed: 0
OUT Pullups succeeded: 0 failed: 0
Fastroute successes: 0 failures: 0
TCP cksum fails(in): 0 (out): 0
Packet log flags set: (0)
Several options are available. When supplied with either <option>-i</option> for inbound or <option>-o</option> for outbound, the command will retrieve and display the appropriate list of filter rules currently installed and in use by the kernel. To also see the rule numbers, include <option>-n</option>. For example, <command>ipfstat -on</command> displays the outbound rules table with rule numbers:
@1 pass out on xl0 from any to any
@2 block out on dc0 from any to any
@3 pass out quick on dc0 proto tcp/udp from any to any keep state
Include <option>-h</option> to prefix each rule with a count of how many times the rule was matched. For example, <command>ipfstat -oh</command> displays the outbound internal rules table, prefixing each rule with its usage count:
2451423 pass out on xl0 from any to any
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep state
To display the state table in a format similar to <citerefentry><refentrytitle>top</refentrytitle><manvolnum>1</manvolnum></citerefentry>, use <command>ipfstat -t</command>. When the firewall is under attack, this option provides the ability to identify and see the attacking packets. The optional sub-flags give the ability to select the destination or source <acronym>IP</acronym>, port, or protocol to be monitored in real time. Refer to <citerefentry><refentrytitle>ipfstat</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.
<application>IPF</application> Logging
<primary><command>ipmon</command></primary>
<primary><application>IPFILTER</application></primary> <secondary>logging</secondary>
<application>IPF</application> provides <command>ipmon</command>, which can be used to write the firewall's logging information in a human readable format. It requires that <literal>options IPFILTER_LOG</literal> be first added to a custom kernel using the instructions in <xref linkend="kernelconfig"/>.
This command is typically run in daemon mode in order to provide a continuous system log file so that logging of past events may be reviewed. Since FreeBSD has a built in <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> facility to automatically rotate system logs, the default <filename>rc.conf</filename> <literal>ipmon_flags</literal> statement uses <option>-Ds</option>:
ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP &amp; port to names
Logging provides the ability to review, after the fact, information such as which packets were dropped, what addresses they came from, and where they were going. This information is useful in tracking down attackers.
Once the logging facility is enabled in <filename>rc.conf</filename> and started with <command>service ipmon start</command>, <application>IPF</application> will only log the rules which contain the <literal>log</literal> keyword. The firewall administrator decides which rules in the ruleset should be logged and normally only deny rules are logged. It is customary to include the <literal>log</literal> keyword in the last rule in the ruleset. This makes it possible to see all the packets that did not match any of the rules in the ruleset.
By default, <command>ipmon -Ds</command> mode uses <literal>local0</literal> as the logging facility. The following logging levels can be used to further segregate the logged data:
LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
LOG_NOTICE - packets logged which are also passed
LOG_WARNING - packets logged which are also blocked
LOG_ERR - packets which have been logged and which can be considered short due to an incomplete header
In order to setup <application>IPF</application> to log all data to <filename>/var/log/ipfilter.log</filename>, first create the empty file:
<prompt>#</prompt> <userinput>touch /var/log/ipfilter.log</userinput>
Then, to write all logged messages to the specified file, add the following statement to <filename>/etc/syslog.conf</filename>:
local0.* /var/log/ipfilter.log
To activate the changes and instruct <citerefentry><refentrytitle>syslogd</refentrytitle><manvolnum>8</manvolnum></citerefentry> to read the modified <filename>/etc/syslog.conf</filename>, run <command>service syslogd reload</command>.
Do not forget to edit <filename>/etc/newsyslog.conf</filename> to rotate the new log file.
Messages generated by <command>ipmon</command> consist of data fields separated by white space. Fields common to all messages are:
The date of packet receipt.
The time of packet receipt. This is in the form HH:MM:SS.F, for hours, minutes, seconds, and fractions of a second.
The name of the interface that processed the packet.
The group and rule number of the rule in the format <literal>@0:17</literal>.
The action: <literal>p</literal> for passed, <literal>b</literal> for blocked, <literal>S</literal> for a short packet, <literal>n</literal> did not match any rules, and <literal>L</literal> for a log rule.

Loading…

No matching activity found.

Browse all component changes

Glossary

English Turkish (tr_TR)
broadcast address yayın adresi FreeBSD Doc
internal address yerel adres FreeBSD Doc
log file sistem günlük dosyası FreeBSD Doc
logging günlük FreeBSD Doc
loopback address geri döngü adresi FreeBSD Doc
MAC address MAC adresi FreeBSD Doc
packet sniffer paket yoklayıcı FreeBSD Doc

Source information

Source string comment
(itstool) path: sect2/para
Source string location
book.translate.xml:63594
String age
8 months ago
Source string age
a year ago
Translation file
books/tr_TR/handbook.po, string 10416