A wile ago some of our test suites were failing due to erroneous requests to port 80 on the test machines. The simplest thing to do was to just block requests to anything other than our webserver in the lab using ipfilter.
pass in quick on bge2 proto tcp from any to <webserver IP> port = 80
block in quick on bge2 from any to any port = 80
bge2 is our external interface.
The bit I got stuck on was logging any attempts. ipfilter allows you to log against any rule. When using syslog the default facility is local0 and the default levels are
- LOG_INFO
- Packets logged using the log keyword as the action rather than pass or block.
- LOG_NOTICE
- Packets logged that are also passed.
- LOG_WARNING
- Packets logged that are also blocked.
- LOG_ERR
- Packets that have been logged and that can be considered “short”.
You can alter these defaults in the rule for example as:
block in log level auth.info quick on bge2 from any to any port = 80
but the defaults are fine for me so we just use:
block in log quick on bge2 from any to any port = 80
Turning on logging will cause ipfilter to log to /dev/ipl. You can use ipmon(1M) to monitor this, or use it to log to syslog via ‘ipmon -Ds‘.
If you use syslog you need to define where the log should go as not everything automatically goes into /var/log/syslog. You need to add a line like this into /etc/syslog.conf:
local0.debug /var/log/ipflog
You cannot say ‘local.*‘ in syslog.conf, * only is valid for facilities. If you try you’ll get an error of ‘unknown priority name "*"‘. You also cannot use spaces you must use tabs, otherwise you’ll get an error like ‘unknown priority name "debug /var/log/ipflog"‘. Once this is defined correctly, touch /var/log/ipflog and restart syslog. You should then see connection attempts logged to this file. Since we are using the default logging above for our block rule they will be logged as local0.warning. The tabs and the * had me stuck for a while so hopefully this post will save someone else from some head scratching.