Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
iplog.conf(5)		      File Formats Manual		 iplog.conf(5)

NAME
       iplog.conf - iplog configuration	file.

DESCRIPTION
       Upon execution and upon being restarted,	iplog reads a list of configu-
       ration rules from its configuration file.  The default location of this
       file is /usr/local/etc/iplog.conf.

NOTATION
       Throughout  this	 document,  required parameters	will be	denoted	by en-
       closing the parameter in	angle brackets <like this>.

       Optional	parameters will	be  denoted  by	 enclosing  the	 parameter  in
       square brackets [like this].

       The  '|'	 character  is	used  to  express  exclusive  or.  For example
       [true|false] means you may give "true" or "false", but not both.

COMMENTS
       The '#' character marks the beginning of	 a  comment.   C-style	(/**/)
       comments	are accepted, also.

RULE CLASSES
       There  are  nine	 classes of rules supported in the iplog configuration
       file.  These rules are: set rules, interface rule, priority  rule,  fa-
       cility  rule,  user  rule,  group rule, promisc rule, logfile rule, and
       pid-file	rule.

SET RULE SYNTAX
       Set rules allow for boolean program options to be enabled  or  disabled
       at runtime.

       The syntax for "set" rules is:
       set <keyword> [true|false]

SET KEYWORDS
       tcp    Log or ignore TCP	traffic.

       udp    Log or ignore UDP	traffic.

       icmp   Log or ignore ICMP traffic.

       frag   Enable  or  disable detection of IP fragment attacks (duplicated
	      and overlapping fragments).

       smurf  Enable or	disable	detection of "smurf" attacks.

       bogus  Enable or	disable	detection of  TCP  packets  with  invalid  TCP
	      flags  set.  Programs such as nmap and queso may set these flags
	      while trying to perform OS detection.

       log_ip Enable or	disable	logging	 IP  addresses	in  addition  to  host
	      names.

       log_dest
	      Log the destination address of IP	packets	that are received.

       stdout Enable  or disable logging to stdout.  This option is incompati-
	      ble with the "logfile" keyword.

       no_fork
	      Enable or	disable	running	in the foreground.

       verbose
	      Enable or	disable	verbose	mode.  In verbose mode,	 packets  with
	      invalid checksums	and truncated headers are logged.

       fin_scan
	      Enable or	disable	the detection of TCP FIN scans.

       syn_scan
	      Enable or	disable	the detection of TCP SYN scans.

       udp_scan
	      Enable or	disable	the detection of UDP scans and UDP floods.

       portscan
	      Enable or	disable	the detection of TCP port scans.

       fool_nmap
	      Enable  or  disable  a mechanism that attempts to	fool programs,
	      such as nmap and queso, that perform remote OS detection.	 As  a
	      side effect, enabling this option	will also cause	most of	nmap's
	      "stealth"	scans to fail.

       xmas_scan
	      Enable or	disable	the detection of TCP XMas scans.

       null_scan
	      Enable or	disable	the detection of TCP null scans.

       get_ident
	      Enable or	disable	fetching IDENT info for	connections  to	 local
	      ports  that  are	listening.   This  option is only available on
	      Linux.

       dns_cache
	      Enable or	disable	the use	of a built-in DNS cache.

       syn_flood
	      If this option is	enabled, iplog	will  stop  resolving  IP  ad-
	      dresses (until the flood ends) if	a SYN flood is detected.

       ignore_dns
	      If  this	option	is  enabled,  DNS traffic from hosts listed in
	      /etc/resolv.conf will be ignored.

       ping_flood
	      Enable or	disable	detection of ICMP ping floods.

       scans_only
	      Enable or	disable	detecting only scans and floods.

       traceroute
	      Enable or	disable	detection of traceroute.

       udp_resolve
	      Enable or	disable	looking	up the host names for the  source  and
	      destination hosts	for UDP	traffic.

       tcp_resolve
	      Enable  or  disable looking up the host names for	the source and
	      destination hosts	for TCP	traffic.

       icmp_resolve
	      Enable or	disable	looking	up the host names for the  source  and
	      destination hosts	for ICMP traffic.

       disable_resolver
	      Enable or	disable	turning	off host name lookups for all traffic.

INTERFACE RULE SYNTAX
       The interface rule is used to define the	interfaces on which iplog will
       listen.

       The rule	format for the interface rule is:
       interface <if0,...,ifN>
       Where ifX is an interface name.

PRIORITY RULE SYNTAX
       The priority rule is used to define the syslog(3) priority  (or	level)
       that iplog will use.

       The rule	format for the priority	rule is:
       priority	<syslog_priority>
       See the syslog(3) for a list of valid priority levels.

FACILITY RULE SYNTAX
       The  facility  rule is used to define the syslog(3) facility that iplog
       will use.

       The rule	format for the facility	rule is:
       facility	<syslog_facility>
       See the syslog(3) for a list of valid syslog facilities.

USER RULE SYNTAX
       The user	rule is	used to	define which user iplog	will run as.

       The user	rule format is:
       user <UID|username>

GROUP RULE SYNTAX
       The group rule is used to define	which group iplog will run with.

       The group rule format is:
       group <GID|group>

LOGFILE	RULE SYNTAX
       The logfile rule	is used	to define a file to which iplog	will  log  its
       output.	iplog can either log to	syslog,	to stdout or to	a logfile, but
       only one.

       The logfile rule	format is:
       logfile <path_to_logfile>

PID-FILE RULE SYNTAX
       The pid-file rule is used to specify the	location of iplog's pid	 file.
       The  user that iplog will run as	should have write access to the	direc-
       tory the	specified file is in.  The location of the pid	file  defaults
       to /var/run/iplog.pid.

       This option should be used when iplog is	set to run as a	user that does
       not have	write access to	/var/run.

       The pid-file rule format	is:
       pid-file	<path_to_pid-file>

PROMISC	RULE SYNTAX
       The promisc rule	enables	iplog to operate in promiscuous	mode.  In pro-
       miscuous	mode, iplog examines traffic to	all visible hosts on the local
       network.

       The rule	format for the promisc rule is:
       promisc <network0,...,networkN>

FILTER RULE SYNTAX
       The rule	format for TCP and UDP filters is:
       <log|ignore> <tcp|udp>
       from [!]<address>[/<mask>]]
       [sport [!]<port-start[:[<port-end>]]]
       [to [!]<address>[/<mask>]]
       [dport [!]<port-start[:[<port-end>]]>]
       (All on one line)

       The rule	format for ICMP	filters	is:
       <log|ignore> icmp
       [type [!]<type>]
       [from [!]<address>[/<mask>]]
       [to [!]<address>[/<mask>]]
       (All on one line)

FILTER KEYWORDS
       The sense of a keyword can be inverted by prefixing its argument	with a
       '!' character.

       log    Log  packets  matching  the rule.	 Either	this or	ignore must be
	      the first	keyword	specified in a rule.  The log and ignore  key-
	      words cannot be used in the same rule.

       ignore Ignore  packets  matching	 the rule.  Either this	or log must be
	      the first	keyword	specified in a rule.  The log and ignore  key-
	      words cannot be used in the same rule.

       tcp    Specifies	 this  rule should be applied to TCP traffic.  Exactly
	      one of the tcp, udp and icmp keywords must be used in each rule.

       udp    Specifies	this rule should be applied to UDP  traffic.   Exactly
	      one of the tcp, udp and icmp keywords must be used in each rule.

       icmp   Specifies	 this rule should be applied to	ICMP traffic.  Exactly
	      one of the tcp, udp and icmp keywords must be used in each rule.

       from <Address parameter>
	      The from keyword specifies the source address(es)	the rule  will
	      match.

       to <Address parameter>
	      The  to  keyword	specifies the destination address(es) the rule
	      will match.

       sport <Port parameter>
	      The sport	keyword	specifies the source  port(s)  the  rule  will
	      match.  This keyword is applicable only to TCP and UDP rules.

       dport <Port parameter>
	      The  dport  keyword  specifies  the destination port(s) the rule
	      will match.  This	keyword	is applicable  only  to	 TCP  and  UDP
	      rules.

       type <Type parameter>
	      The type keyword specifies an ICMP type.	This keyword is	appli-
	      cable only to ICMP rules.

FILTER PARAMETER SYNTAX
       An asterisk character ('*') may be used as a wildcard for  any  parame-
       ter.

       Address parameters
	      The  syntax  for	an address parameter is	[!]<addr>[/<mask>] The
	      addr token specifies the address the rule	will match.  This  to-
	      ken  may	be specified in	quad-dot notation or as	a fully	quali-
	      fied domain name (FQDN).	The mask token	is  optional,  and  is
	      used  to	specify	a range	of addresses the rule will match.  The
	      mask token may be	specified either in quad-dot  notation,	 as  a
	      FQDN  or	in  CIDR  notation.  If	the mask token is present, the
	      addr token will be treated as a network address.

       Port parameters
	      The syntax  for  a  port	parameter  is  [!]<port-start[:[<port-
	      end>]]>  The  port-start	token specifies	the port the rule will
	      match.  This token may be	specified as either a  decimal	number
	      or as a service name (e.g. "telnet").  The optional port-end to-
	      ken is used to define port ranges	 the  rule  will  match.   The
	      port-end	token also may be specified as either a	decimal	number
	      or a service name.  When the  port-end  token  is	 present,  the
	      port-start  token	is interpreted as the first port the rule will
	      match.  Suffixing	port-start with	a ':' but omitting  the	 port-
	      end  parameter  causes  port-end	to  be implicitly set to 65535
	      (i.e. all	ports greater than or  equal  to  port-start  will  be
	      matched).	  In  general, "port1:portN" will match	all ports from
	      port1 to portN, inclusive.   "port1:"  matches  all  ports  from
	      port1 to 65535, inclusive.

       Type parameters
	      Either integers or a string can be used to specify a type	param-
	      eter.  Obviously,	only an	integer	can be used to describe	a type
	      that  has	no name.  "ICMP_" may precede any of the names.	 Legal
	      type parameters follow:

	      NAME			    CODE
	      ECHOREPLY			    0
	      n/a			    1
	      n/a			    2
	      UNREACH			    3
	      SOURCEQUENCH		    4
	      REDIRECT			    5
	      n/a			    6
	      n/a			    7
	      ECHO			    8
	      ROUTERADVERT		    9
	      ROUTERSOLICIT		    10
	      TIMXCEED			    11
	      PARAMPROB			    12
	      TSTAMP			    13
	      TSTAMPREPLY		    14
	      IREQ			    15
	      IREQREPLY			    16
	      MASKREQ			    17
	      MASKREPLY			    18

GENERAL	FILTER SYNTAX
       *      Case is ignored in all places, except  for  in  a	 service  name
	      (i.e. "telnet").

       *      All  parameters  are optional except "log" or "ignore" and "tcp"
	      "udp" and	"icmp".	 Either	log or ignore must  be	specified  for
	      each rule.  Exactly one of the "tcp" "udp" and "icmp" parameters
	      must be specified	for each rule.

       *      The order	in which the rules are listed is  not  significant  in
	      regard to	"log" or "ignore."  The	entries	will be	reordered such
	      that all "log" statements	precede	all "ignore" statements.

EXAMPLES
       Run as user nobody.
       user nobody

       Run with	group nogroup.
       group nogroup

       Log to /var/log/iplog
       logfile /var/log/iplog

       Use the syslog(3) facility log_daemon.
       facility	log_daemon

       Use the syslog(3) priority (level) log_info.
       priority	log_info

       Log the IP address as well as the hostname of packets.
       set log_ip true

       Do not log the destination of packets.
       set log_dest false

       Ignore DNS traffic from nameservers in /etc/resolv.conf.
       set ignore_dns

       Listen on eth0 and eth1
       interface eth0,eth1

       Ignore DNS traffic from nameservers.
       ignore udp from 192.168.0.1 sport 53
       ignore udp from 192.168.0.2 sport 53
       NOTE: (Using the	-d option will add similar rules for  all  nameservers
       listed in /etc/resolv.conf).

       Log  connections	with source port ftp-data (20) to ports	1045-1055, in-
       clusive.
       log tcp dport 1045:1055 sport ftp-data

       Ignore ftp-data connections from	to ports 1024 and above.
       ignore tcp dport	1024: sport 20

       Ignore WWW connections.
       ignore tcp dport	80

       Ignore ICMP unreach.
       ignore icmp type	unreach
	    or
       ignore icmp type	3

       Ignore ICMP traffic with	any type other than ECHO
       ignore icmp type	!echo

       Ignore UDP traffic from the 127.1.2 network
       ignore udp from 127.1.2/24
	    or
       ignore udp from 127.1.2/255.255.255.0

AUTHOR
       Ryan McCabe <odin@numb.org>

SEE ALSO
       iplog(8)	syslog(3) services(5)

iplog 2.2.3		       03 December 2000			 iplog.conf(5)

NAME | DESCRIPTION | NOTATION | COMMENTS | RULE CLASSES | SET RULE SYNTAX | SET KEYWORDS | INTERFACE RULE SYNTAX | PRIORITY RULE SYNTAX | FACILITY RULE SYNTAX | USER RULE SYNTAX | GROUP RULE SYNTAX | LOGFILE RULE SYNTAX | PID-FILE RULE SYNTAX | PROMISC RULE SYNTAX | FILTER RULE SYNTAX | FILTER KEYWORDS | FILTER PARAMETER SYNTAX | GENERAL FILTER SYNTAX | EXAMPLES | AUTHOR | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=iplog.conf&sektion=5&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help