Problem: IPFW seams to not be logging anything within my Transmission jail. I'm currently using FreeNAS 11.2-U6 and my iocage jail has been created with the 11.2-RELEASE. I'm trying to use the logs to troubleshoot a seperate issue I'm having with Transmission Remote GUI (installed on my laptop) not connecting through a PIA openvpn connection... But, it appears that this is a roadblocking issue just getting the ipfw logs to work in itself! I'll probably give you too much info, but here's what I have...
I have read the FreeBSD HandbookIPFW page and I everything seams right. I have also read through the ipfw(8) man page and still can't seam to figure out why the logs are not working... The results of the ipfw logs are supposed to be put into the /var/log/security file, but as per what I shared above, that's the only contents that has ever appeared in that file... Any help on what I've posted, or even pointing me int he right direction would be GREATLY appreciated!!! (I can't believe that this late into the game there could still possibly be a bug here...) Or, if there's any questions, I should be able to get online and answer anything every evening sometime (EST).
Thanks again all!!!
Code:
# $FreeBSD: releng/11.2/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. #security.bsd.see_other_uids=0 #Emable ipfw logging net.inet.ip.fw.verbose=1 #Limit to 5 lines of activity from ipfw net.inet.ip.fw.verbose_limit=5
Code:
########################################################################################## # IPFW RULES ########################################################################################## #!/bin/bash # Flush out the list before we begin ipfw -q -f flush # Set variables CMD="ipfw -q add" # too lazy to type this out every time PIF="epair0b" # interface name of NIC attached to Internet VPN="tun0" # interface name for openvpn PIA connection # Retrieve the openvpn port number created by transmission-port-forward.sh VPNPORT=$(cat "/myscriptlogs/ipfw-openvpn.port") #echo $VPNPORT #just to test #sample command #add 01000 allow log udp from 192.168.1.0/24 to 184.75.220.106 dst-port 53 keep-state # allow all local traffic on the loopback interface $CMD 00001 allow log tcp from any to any via lo0 # allow any connection to/from VPN interface $CMD 00010 allow log tcp from any to any via $VPN # allow anything incoming on the vpn with the port number $CMD 00011 allow log tcp from any to any via $VPN # allow connection to/from LAN by Transmission $CMD 00101 allow log tcp from me to 192.168.2.1/24 uid transmission $CMD 00102 allow log tcp from 192.168.2.1/24 to me uid transmission # deny any Transmission connection outside LAN that does not use VPN $CMD 00103 allow log tcp from any to any uid transmission
Code:
root@Transmission:/ # ipfw list 00001 allow log logamount 5 tcp from any to any via lo0 00010 allow log logamount 5 tcp from any to any via tun0 00011 allow log logamount 5 tcp from any to any via tun0 00101 allow log logamount 5 tcp from me to 192.168.2.0/24 uid transmission 00102 allow log logamount 5 tcp from 192.168.2.0/24 to me uid transmission 00103 allow log logamount 5 tcp from any to any uid transmission 65535 allow ip from any to any
Code:
Dec 11 02:00:48 Transmission newsyslog[77158]: logfile first created
Code:
#!/usr/bin/env bash # # Enable port forwarding when using Private Internet Access # install the following in order to run # - pkg install curl # - pkg install bash # - pkg install jq # - pkg install -y p5-Digest-SHA # # Usage: # ./usr/local/etc/openvpn/transmission-port-forward.sh #Declare the variables for the script TRANSUSER=transuser TRANSPASS=transpass TRANSHOST=192.168.2.xxx error( ) { echo "$@" 1>&2 exit 1 } error_and_usage( ) { echo "$@" 1>&2 usage_and_exit 1 } usage( ) { echo "Usage: `dirname $0`/$PROGRAM" } usage_and_exit( ) { usage exit $1 } version( ) { echo "$PROGRAM version $VERSION" } port_forward_assignment( ) { #Loading port forward assignment information if [ "$(uname)" == "Linux" ]; then client_id=`head -n 100 /dev/urandom | sha256sum | tr -d " -"` fi if [ "$(uname)" == "FreeBSD" ]; then client_id=`head -n 100 /dev/urandom | shasum -a 256 | tr -d " -"` fi #Retreive port information json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null` #What to do if port forward is already active or if connection has failed if [ "$json" == "" ]; then #Write to the log file as follows #Uncomment this line for troubleshooting while working on stuff as needed..... #echo As of $(date) port forwarding is already activated on the connection or has expired. Restart the jail... >> /usr/local/etc/openvpn/transmission-port-forward.log 2>&1 exit 0 fi #Show the returned port number echo server returned "$json" #trim VPN forwarded port from JSON PORT=$(echo $json | awk 'BEGIN{r=1;FS="[{}\":]+"} /port/{r=0; print $3} END{exit r}') echo if successful, trimmed port is:"$PORT" #Get the openvpn WAN IP Address OPENVPNIP=`curl "ifconfig.me" 2>/dev/null` #json=`curl "http://209.222.18.222:2000/?client_id=$client_id" 2>/dev/null` #write the port number to a log file to me to quickly keep tabs on echo As of $(date) the transmission-remote access is "$OPENVPNIP:$PORT" >> /myscriptlogs/transmission-port-forward.log 2>&1 #write the port number only to a file for use by ipfw then restart ipfw to load the new port number echo $PORT > /myscriptlogs/ipfw-openvpn.port 2>&1 #change transmission port on the fly transmission-remote $TRANSHOST --auth $TRANSUSER:$TRANSPASS -p "$PORT" echo "Transmission-remote updated successfully" >> /myscriptlogs/transmission-port-forward.log 2>&1 #echo remember to run no longer than 2 mins after reconnecting/connecting to vpn server. } EXITCODE=0 PROGRAM=`basename $0` VERSION=2.1 while test $# -gt 0 do case $1 in --usage | --help | -h ) usage_and_exit 0 ;; --version | -v ) version exit 0 ;; *) error_and_usage "Unrecognized option: $1" ;; esac shift done port_forward_assignment exit 0
I have read the FreeBSD HandbookIPFW page and I everything seams right. I have also read through the ipfw(8) man page and still can't seam to figure out why the logs are not working... The results of the ipfw logs are supposed to be put into the /var/log/security file, but as per what I shared above, that's the only contents that has ever appeared in that file... Any help on what I've posted, or even pointing me int he right direction would be GREATLY appreciated!!! (I can't believe that this late into the game there could still possibly be a bug here...) Or, if there's any questions, I should be able to get online and answer anything every evening sometime (EST).
Thanks again all!!!