ipflog not showing groups?

ipflog not showing groups?

Post by bean » Tue, 05 Mar 2002 06:31:27



My ipf rules are broken into groups.  It's my understanding of the ipflog
format that packets logged within a particular group should reflect that,
i.e., if a packet is in blocked by a rule in group 4, I should have
something like:


Indicating that the packet was dropped by the 9th rule in group 4.  However,
the actual behaviour that I'm seeing is that *all* packets are logged as
group 0, regardless of the group of the rule that performed the action, i.e.
in the exampe above, if rule 9 in group 4 blocked a packet, I'd still just
get:


This makes it difficult to analyze the logs, since ipf restarts numbering of
rules with each group...   leaving me wondering, "Well, was this packet
dropped by rule 3 in group 1, 2, 3, or 4?".  Has anyone else seen this with
their rulesets?  Have I configured something incorrectly?

Any help appreciated,
Mark

 
 
 

ipflog not showing groups?

Post by Dave Uhrin » Tue, 05 Mar 2002 06:50:58



> My ipf rules are broken into groups.  It's my understanding of the
> ipflog format that packets logged within a particular group should
> reflect that, i.e., if a packet is in blocked by a rule in group 4, I
> should have something like:


> Indicating that the packet was dropped by the 9th rule in group 4.
> However, the actual behaviour that I'm seeing is that *all* packets
> are logged as group 0, regardless of the group of the rule that
> performed the action, i.e. in the exampe above, if rule 9 in group 4
> blocked a packet, I'd still just get:


> This makes it difficult to analyze the logs, since ipf restarts
> numbering of
> rules with each group...   leaving me wondering, "Well, was this
> packet
> dropped by rule 3 in group 1, 2, 3, or 4?".  Has anyone else seen this
> with
> their rulesets?  Have I configured something incorrectly?

> Any help appreciated,
> Mark

Try running 'ipfstat -ih'

 
 
 

ipflog not showing groups?

Post by bean » Tue, 05 Mar 2002 10:24:30


Quote:

> Try running 'ipfstat -ih'

Thank you for replying; however, that's still not quite what I'm looking
for.  That command will list my current input rules, and the number of times
each has been 'hit'.  My original question actually goes to /var/log/ipflog.
If you look at your firewall logs there, you'll see that each line has the

triggered the block or pass.  I have four groups of rules configured, but
ipflog always shows that group zero contained the rule in question, which
simply can't be the case...
 
 
 

ipflog not showing groups?

Post by bean » Tue, 05 Mar 2002 10:34:44


My apologies, guys...  I dug deeper into my rules and found that they were
returning to group zero for the block/log

/me slunks away in shame...    : \

 
 
 

1. The "groups" command does not show all groups

Hi everyone,

We have NIS server running Solaris 2.6(Ultra 60) and some NIS clients
running Solaris 7(Ultra 10).
After I reboot NIS client and use command "groups username",it doesn't
show all user's groups.Only show part of them.

What I do is: reboot them again(sometimes reboot 3 time or more
).After that it'll work normal.

Is it bug for Solaris 7?Is there is way to solve it without reboot?

Thanks in advance,

2. Where can I d/l a slackware 3.5 image to burn into a cd-rom?

3. AIX 4.1.3.0 not showing all group membership with NIS

4. FBSD people in West Michigan?

5. Physical memory not showing up (48M installed, only showing 14M)

6. ip traffic load average and graphs

7. e2fsck 0.5a -> error: Block bitmap nn for group yy not in group

8. GCC 2.7.2 for FreeBSD ??

9. group 0 not in group?

10. e2fsck 0.5a -> error: Block bitmap nn for group yy not in group

11. e2fsck: block bitmap 0 for group 0 not in group?

12. ls -l displays numeric group id-not group name

13. Detecting portscans in ipflog.