IPF monitoring

fernandel · Mar 14, 2025

I never tried IPF and I made settings similar as I have on IPFW and PF.
How should I monitoring it in real time.
On IPFW I use tail -f /var/log/security and on PF I used tcpdump. What should I use on IPF?
I tried ipfstat -t and tail -f /var/log/ipfilter.log. I tried also ipmon -oS.
What is your suggestion, please?
If I run ipfvstat I get and I do not have NAT settings:

Code:

0    input bad packets
0    input IPv6 packets
23    input packets blocked
81550    input packets passed
0    input packets not matched
0    input packets counted
0    input packets short
0    input packets logged and blocked
0    input packets logged and passed
0    input fragment state kept
0    input fragment state lost
0    input packet state kept
0    input packet state lost
0    input invalid source
0    input cache hits
0    input cache misses
0    input bad coalesces
0    input pullups succeeded
0    input pullups failed
0    input TCP checksum failures
23    input block reason packet blocked
0    input block reason log rule failure
0    input block reason pps rate exceeded
0    input block reason jumbogram
0    input block reason makefrip failed
0    input block reason cannot add state
0    input block reason IP ID update failed
0    input block reason log-or-block failed
0    input block reason decapsulate failure
0    input block reason cannot create new auth entry
0    input block reason packet queued for auth
0    input block reason buffer coalesce failure
0    input block reason buffer pullup failure
0    input block reason auth feedback
0    input block reason bad fragment
0    input block reason IPv4 NAT failure
0    input block reason IPv6 NAT failure
0    output bad packets
0    output IPv6 packets
1588    output packets blocked
50855    output packets passed
0    output packets not matched
0    output packets counted
0    output packets short
1588    output packets logged and blocked
0    output packets logged and passed
0    output fragment state kept
0    output fragment state lost
582    output packet state kept
0    output packet state lost
0    output invalid source
0    output cache hits
0    output cache misses
0    output bad coalesces
0    output pullups succeeded
0    output pullups failed
0    output TCP checksum failures
1588    output block reason packet blocked
0    output block reason log rule failure
0    output block reason pps rate exceeded
0    output block reason jumbogram
0    output block reason makefrip failed
0    output block reason cannot add state
0    output block reason IP ID update failed
0    output block reason log-or-block failed
0    output block reason decapsulate failure
0    output block reason cannot create new auth entry
0    output block reason packet queued for auth
0    output block reason buffer coalesce failure
0    output block reason buffer pullup failure
0    output block reason auth feedback
0    output block reason bad fragment
0    output block reason IPv4 NAT failure
0    output block reason IPv6 NAT failure
1588    packets logged
0    log failures
0    red-black no memory
0    red-black node maximum
0    ICMP replies sent
0    TCP RSTs sent
0    fastroute successes
0    fastroute failures
33033    IPF Ticks
0    Packet log flags set:
    none

gotnull · Mar 14, 2025

Hi,

I've just tried it quickly by following the handbook and few links from the wiki, in the end it works for me.

This is what I've done:

Code:

~ > grep -E "ipmon|ipf" /etc/rc.conf
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
ipmon_enable="YES"
ipmon_flags="-Ds"

Code:

~ > ll /var/log/ipfilter.log
-rw-------  1 root  wheel   4,9M 14 mars  20:46 /var/log/ipfilter.log

Check the permissions here just in case chmod 600 /var/log/ipfilter.log

Code:

~ > grep ipfilter /etc/syslog.conf 
local0.*                                        /var/log/ipfilter.log

Careful though it didn't work until I've removed space instead of tabs in /etc/syslog.conf

Like you suggested I used the command tail -f /var/log/ipfilter.log and it's fine in my case, my ipf rules are not really good though I've abuse the log keyword to see if monitoring would work, lol.

fernandel · Mar 14, 2025

Thank you.
I like it and ipfstat and ipmon are good and they have many options.

fernandel · Mar 15, 2025

gotnull said:
Hi,

I've just tried it quickly by following the handbook and few links from the wiki, in the end it works for me.

This is what I've done:

Code:

~ > grep -E "ipmon|ipf" /etc/rc.conf ipfilter_enable="YES" ipfilter_rules="/etc/ipf.conf" ipmon_enable="YES" ipmon_flags="-Ds"

Code:

~ > ll /var/log/ipfilter.log -rw------- 1 root wheel 4,9M 14 mars 20:46 /var/log/ipfilter.log

Check the permissions here just in case chmod 600 /var/log/ipfilter.log

Code:

~ > grep ipfilter /etc/syslog.conf local0.* /var/log/ipfilter.log

Careful though it didn't work until I've removed space instead of tabs in /etc/syslog.conf

Like you suggested I used the command tail -f /var/log/ipfilter.log and it's fine in my case, my ipf rules are not really good though I've abuse the log keyword to see if monitoring would work, lo

what do you have in newsyslog.conf. I have:

Code:

/var/log/ipfilter.log            600  10       1000 *     JC

I hope that is correct.

gotnull · Mar 15, 2025

fernandel said:
what do you have in newsyslog.conf.

I have the exact same thing as you because I basically just copied the line "/var/log/security", to me it seems a good example to follow, permissions, size and count are okay, and the compression doesn't bother me so I don't see a reason to changed anything here, and most importantly it works fine like that

fernandel said:
I like it and ipfstat and ipmon are good and they have many options.

Honestly I've barely scratched the surface yet, I set it up in a VM to play with it, but I agree with you IPF probably deserves more attention, it's not bad at all.
I've read few files from /usr/share/examples/ipfilter(~~it probably needs a bit of cleaning here~~), hell there is even mkfilters that helps to build a minimal set of rules.

Things I am not a fan of:
1) I do not like how rules are displayed by ipfstat -nio, I am confused with the rule number I do not understand why inbound and outbound are indexed separately.
2) monitoring, for me nothing beats IPFW presentation

IPFW:

Code:

Mar 14 12:16:07 fbsd13b kernel: ipfw: 1000 Deny UDP 192.168.1.93:45115 224.0.0.251:5353 in via vtnet0

PF:

Code:

2025-03-15 16:15:08.495855 rule 0/0(match): block in on vtnet0: 192.168.1.93.53916 > 224.0.0.251.5353: 12940 [|domain]

IPF:

Code:

Mar 15 16:19:26 fbsd13c ipmon[1788]: 16:19:26.167538 vtnet0 @0:1 b 192.168.1.93,36643 -> 224.0.0.251,5353 PR udp len 20 71 IN low-ttl multicast

IPFW shows the rule number and a part of the rule itself, while IPF and PF only refer only to the rule number which forces you either to remember what the rule is or search for it, then comes 1).

PS:
FWIW I've found an interesting old HowTo on github (could be in the wiki may be ?):

GitHub - cetanu/ipfilter_howto: IP Filter Based Firewalls HOWTO

IP Filter Based Firewalls HOWTO. Contribute to cetanu/ipfilter_howto development by creating an account on GitHub.

github.com

gotnull · Mar 16, 2025

gotnull said:
PS:
FWIW I've found an interesting old HowTo on github (could be in the wiki may be ?):

GitHub - cetanu/ipfilter_howto: IP Filter Based Firewalls HOWTO

IP Filter Based Firewalls HOWTO. Contribute to cetanu/ipfilter_howto development by creating an account on GitHub.

github.com

This documentation is already present in examples location as /usr/share/examples/ipfilter/ipf-howto.txt

fernandel · Mar 16, 2025

gotnull said:
This documentation is already present in examples location as /usr/share/examples/ipfilter/ipf-howto.txt

Yes, because I did read about firewall. Did you try mkfilters?
There is also
security/p5-plog but I didn't try no one.

gotnull · Mar 20, 2025

fernandel said:
Did you try mkfilters?

Yes very quiclky, what it does is harmless it only shows a set of rules that one can start with, nothing is written to a configuration file just raw output.

Code:

~ > /usr/share/examples/ipfilter/mkfilters
#
# The following routes should be configured, if not already:
#
# route add 192.168.1.191 localhost 0
#
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out on vtnet0 all head 250
block out from 127.0.0.0/8 to any group 250
block out from any to 127.0.0.0/8 group 250
block out from any to 192.168.1.191/32 group 250
pass in on vtnet0 all head 200
block in from 127.0.0.0/8 to any group 200
block in from 192.168.1.191/32 to any group 200

As you guessed the IP of the VM is 192.168.1.191 and vtnet0 is the network interface, the rest is few rules that protect the system against wrong IPs.
Theses advises can be also found in /usr/share/examples/ipfilter/ipf.conf.permissive and /usr/share/examples/ipfilter/ipf.conf.sample.
If I am not wrong there are also these kind of rules in /etc/rc.firewall for IPFW minus the "group thing" which is only a IPF feature but you get the idea.

Overall mkfilters does not do a giant job, obviously you can't rely on it to build a complete set of rules but still I appreciate the gesture, if one doesn't know where to start this can help a little bit. Then as said before the examples files are a good thing, I wish we have that for IPFW.

fernandel · Saturday at 7:26 PM

gotnull said:
This documentation is already present in examples location as /usr/share/examples/ipfilter/ipf-howto.txt

It is so good documentation and easy to understand.