iplog.conf man page on Mandriva

Man page or keyword search:  
man Server   17060 pages
apropos Keyword Search (all sections)
Output format
Mandriva logo
[printable version]

iplog.conf(5)							 iplog.conf(5)

NAME
       iplog.conf - iplog configuration file.

DESCRIPTION
       Upon execution and upon being restarted, iplog reads a list of configu‐
       ration rules from its configuration file.  The default location of this
       file is /etc/iplog.conf.

NOTATION
       Throughout  this	 document,  required  parameters  will	be  denoted by
       enclosing the parameter in angle brackets <like this>.

       Optional parameters will be  denoted  by	 enclosing  the	 parameter  in
       square brackets [like this].

       The  '|'	 character  is	used  to  express  exclusive  or.  For example
       [true|false] means you may give "true" or "false", but not both.

COMMENTS
       The '#' character marks the beginning of	 a  comment.   C-style	(/**/)
       comments are accepted, also.

RULE CLASSES
       There  are  nine	 classes of rules supported in the iplog configuration
       file.  These rules are:	set  rules,  interface	rule,  priority	 rule,
       facility	 rule,	user rule, group rule, promisc rule, logfile rule, and
       pid-file rule.

SET RULE SYNTAX
       Set rules allow for boolean program options to be enabled  or  disabled
       at runtime.

       The syntax for "set" rules is:
       set <keyword> [true|false]

SET KEYWORDS
       tcp    Log or ignore TCP traffic.

       udp    Log or ignore UDP traffic.

       icmp   Log or ignore ICMP traffic.

       frag   Enable  or  disable detection of IP fragment attacks (duplicated
	      and overlapping fragments).

       smurf  Enable or disable detection of "smurf" attacks.

       bogus  Enable or disable detection of  TCP  packets  with  invalid  TCP
	      flags  set.  Programs such as nmap and queso may set these flags
	      while trying to perform OS detection.

       log_ip Enable or disable logging	 IP  addresses	in  addition  to  host
	      names.

       log_dest
	      Log the destination address of IP packets that are received.

       stdout Enable  or disable logging to stdout.  This option is incompati‐
	      ble with the "logfile" keyword.

       no_fork
	      Enable or disable running in the foreground.

       verbose
	      Enable or disable verbose mode.  In verbose mode,	 packets  with
	      invalid checksums and truncated headers are logged.

       fin_scan
	      Enable or disable the detection of TCP FIN scans.

       syn_scan
	      Enable or disable the detection of TCP SYN scans.

       udp_scan
	      Enable or disable the detection of UDP scans and UDP floods.

       portscan
	      Enable or disable the detection of TCP port scans.

       fool_nmap
	      Enable  or  disable  a mechanism that attempts to fool programs,
	      such as nmap and queso, that perform remote OS detection.	 As  a
	      side effect, enabling this option will also cause most of nmap's
	      "stealth" scans to fail.

       xmas_scan
	      Enable or disable the detection of TCP XMas scans.

       null_scan
	      Enable or disable the detection of TCP null scans.

       get_ident
	      Enable or disable fetching IDENT info for connections  to	 local
	      ports  that  are	listening.   This  option is only available on
	      Linux.

       dns_cache
	      Enable or disable the use of a built-in DNS cache.

       syn_flood
	      If  this	option	is  enabled,  iplog  will  stop	 resolving  IP
	      addresses (until the flood ends) if a SYN flood is detected.

       ignore_dns
	      If  this	option	is  enabled,  DNS traffic from hosts listed in
	      /etc/resolv.conf will be ignored.

       ping_flood
	      Enable or disable detection of ICMP ping floods.

       scans_only
	      Enable or disable detecting only scans and floods.

       traceroute
	      Enable or disable detection of traceroute.

       udp_resolve
	      Enable or disable looking up the host names for the  source  and
	      destination hosts for UDP traffic.

       tcp_resolve
	      Enable  or  disable looking up the host names for the source and
	      destination hosts for TCP traffic.

       icmp_resolve
	      Enable or disable looking up the host names for the  source  and
	      destination hosts for ICMP traffic.

       disable_resolver
	      Enable or disable turning off host name lookups for all traffic.

INTERFACE RULE SYNTAX
       The interface rule is used to define the interfaces on which iplog will
       listen.

       The rule format for the interface rule is:
       interface <if0,...,ifN>
       Where ifX is an interface name.

PRIORITY RULE SYNTAX
       The priority rule is used to define the syslog(3) priority  (or	level)
       that iplog will use.

       The rule format for the priority rule is:
       priority <syslog_priority>
       See the syslog(3) for a list of valid priority levels.

FACILITY RULE SYNTAX
       The  facility  rule is used to define the syslog(3) facility that iplog
       will use.

       The rule format for the facility rule is:
       facility <syslog_facility>
       See the syslog(3) for a list of valid syslog facilities.

USER RULE SYNTAX
       The user rule is used to define which user iplog will run as.

       The user rule format is:
       user <UID|username>

GROUP RULE SYNTAX
       The group rule is used to define which group iplog will run with.

       The group rule format is:
       group <GID|group>

LOGFILE RULE SYNTAX
       The logfile rule is used to define a file to which iplog will  log  its
       output.	iplog can either log to syslog, to stdout or to a logfile, but
       only one.

       The logfile rule format is:
       logfile <path_to_logfile>

PID-FILE RULE SYNTAX
       The pid-file rule is used to specify the location of iplog's pid	 file.
       The  user that iplog will run as should have write access to the direc‐
       tory the specified file is in.  The location of the pid	file  defaults
       to /var/run/iplog.pid.

       This option should be used when iplog is set to run as a user that does
       not have write access to /var/run.

       The pid-file rule format is:
       pid-file <path_to_pid-file>

PROMISC RULE SYNTAX
       The promisc rule enables iplog to operate in promiscuous mode.  In pro‐
       miscuous mode, iplog examines traffic to all visible hosts on the local
       network.

       The rule format for the promisc rule is:
       promisc <network0,...,networkN>

FILTER RULE SYNTAX
       The rule format for TCP and UDP filters is:
       <log|ignore> <tcp|udp>
       from [!]<address>[/<mask>]]
       [sport [!]<port-start[:[<port-end>]]]
       [to [!]<address>[/<mask>]]
       [dport [!]<port-start[:[<port-end>]]>]
       (All on one line)

       The rule format for ICMP filters is:
       <log|ignore> icmp
       [type [!]<type>]
       [from [!]<address>[/<mask>]]
       [to [!]<address>[/<mask>]]
       (All on one line)

FILTER KEYWORDS
       The sense of a keyword can be inverted by prefixing its argument with a
       '!' character.

       log    Log  packets  matching  the rule.	 Either this or ignore must be
	      the first keyword specified in a rule.  The log and ignore  key‐
	      words cannot be used in the same rule.

       ignore Ignore  packets  matching	 the rule.  Either this or log must be
	      the first keyword specified in a rule.  The log and ignore  key‐
	      words cannot be used in the same rule.

       tcp    Specifies	 this  rule should be applied to TCP traffic.  Exactly
	      one of the tcp, udp and icmp keywords must be used in each rule.

       udp    Specifies this rule should be applied to UDP  traffic.   Exactly
	      one of the tcp, udp and icmp keywords must be used in each rule.

       icmp   Specifies	 this rule should be applied to ICMP traffic.  Exactly
	      one of the tcp, udp and icmp keywords must be used in each rule.

       from <Address parameter>
	      The from keyword specifies the source address(es) the rule  will
	      match.

       to <Address parameter>
	      The  to  keyword	specifies the destination address(es) the rule
	      will match.

       sport <Port parameter>
	      The sport keyword specifies the source  port(s)  the  rule  will
	      match.  This keyword is applicable only to TCP and UDP rules.

       dport <Port parameter>
	      The  dport  keyword  specifies  the destination port(s) the rule
	      will match.  This keyword is applicable  only  to	 TCP  and  UDP
	      rules.

       type <Type parameter>
	      The type keyword specifies an ICMP type.	This keyword is appli‐
	      cable only to ICMP rules.

FILTER PARAMETER SYNTAX
       An asterisk character ('*') may be used as a wildcard for  any  parame‐
       ter.

       Address parameters
	      The  syntax  for	an address parameter is [!]<addr>[/<mask>] The
	      addr token specifies the address	the  rule  will	 match.	  This
	      token may be specified in quad-dot notation or as a fully quali‐
	      fied domain name (FQDN).	The mask token	is  optional,  and  is
	      used  to	specify a range of addresses the rule will match.  The
	      mask token may be specified either in quad-dot  notation,	 as  a
	      FQDN  or	in  CIDR  notation.  If the mask token is present, the
	      addr token will be treated as a network address.

       Port parameters
	      The syntax  for  a  port	parameter  is  [!]<port-start[:[<port-
	      end>]]>  The  port-start	token specifies the port the rule will
	      match.  This token may be specified as either a  decimal	number
	      or  as  a	 service  name (e.g. "telnet").	 The optional port-end
	      token is used to define port ranges the rule  will  match.   The
	      port-end	token also may be specified as either a decimal number
	      or a service name.  When the  port-end  token  is	 present,  the
	      port-start  token is interpreted as the first port the rule will
	      match.  Suffixing port-start with a ':' but omitting  the	 port-
	      end  parameter  causes  port-end	to  be implicitly set to 65535
	      (i.e. all ports greater than or  equal  to  port-start  will  be
	      matched).	  In  general, "port1:portN" will match all ports from
	      port1 to portN, inclusive.   "port1:"  matches  all  ports  from
	      port1 to 65535, inclusive.

       Type parameters
	      Either integers or a string can be used to specify a type param‐
	      eter.  Obviously, only an integer can be used to describe a type
	      that  has no name.  "ICMP_" may precede any of the names.	 Legal
	      type parameters follow:

	      NAME			    CODE
	      ECHOREPLY			    0
	      n/a			    1
	      n/a			    2
	      UNREACH			    3
	      SOURCEQUENCH		    4
	      REDIRECT			    5
	      n/a			    6
	      n/a			    7
	      ECHO			    8
	      ROUTERADVERT		    9
	      ROUTERSOLICIT		    10
	      TIMXCEED			    11
	      PARAMPROB			    12
	      TSTAMP			    13
	      TSTAMPREPLY		    14
	      IREQ			    15
	      IREQREPLY			    16
	      MASKREQ			    17
	      MASKREPLY			    18

GENERAL FILTER SYNTAX
       *      Case is ignored in all places, except  for  in  a	 service  name
	      (i.e. "telnet").

       *      All  parameters  are optional except "log" or "ignore" and "tcp"
	      "udp" and "icmp".	 Either log or ignore must  be	specified  for
	      each rule.  Exactly one of the "tcp" "udp" and "icmp" parameters
	      must be specified for each rule.

       *      The order in which the rules are listed is  not  significant  in
	      regard to "log" or "ignore."  The entries will be reordered such
	      that all "log" statements precede all "ignore" statements.

EXAMPLES
       Run as user nobody.
       user nobody

       Run with group nogroup.
       group nogroup

       Log to /var/log/iplog
       logfile /var/log/iplog

       Use the syslog(3) facility log_daemon.
       facility log_daemon

       Use the syslog(3) priority (level) log_info.
       priority log_info

       Log the IP address as well as the hostname of packets.
       set log_ip true

       Do not log the destination of packets.
       set log_dest false

       Ignore DNS traffic from nameservers in /etc/resolv.conf.
       set ignore_dns

       Listen on eth0 and eth1
       interface eth0,eth1

       Ignore DNS traffic from nameservers.
       ignore udp from 192.168.0.1 sport 53
       ignore udp from 192.168.0.2 sport 53
       NOTE: (Using the -d option will add similar rules for  all  nameservers
       listed in /etc/resolv.conf).

       Log  connections	 with  source  port  ftp-data (20) to ports 1045-1055,
       inclusive.
       log tcp dport 1045:1055 sport ftp-data

       Ignore ftp-data connections from to ports 1024 and above.
       ignore tcp dport 1024: sport 20

       Ignore WWW connections.
       ignore tcp dport 80

       Ignore ICMP unreach.
       ignore icmp type unreach
	    or
       ignore icmp type 3

       Ignore ICMP traffic with any type other than ECHO
       ignore icmp type !echo

       Ignore UDP traffic from the 127.1.2 network
       ignore udp from 127.1.2/24
	    or
       ignore udp from 127.1.2/255.255.255.0

AUTHOR
       Ryan McCabe <odin@numb.org>

SEE ALSO
       iplog(8) syslog(3) services(5)

iplog 2.2.3		       03 December 2000			 iplog.conf(5)
[top]

List of man pages available for Mandriva

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net