Note :
I also tweaked the apf 0.9.5 and it works like a charm too.
If some of you are interested on how to create a specific log file for all apf drop logs with apf 0.9.5 (the current iworx version) just follow these instructions
Replace the 1. of the previous post by this one
1 - Tweak apf firewall file
a- Backup the file
cp /etc/apf/firewall /etc/apf/firewall.save
b- Edit the file with your favorite editor
c.1- Find
if [ "$DROP_LOG" == "1" ]; then
# Default TCP/UDP INPUT log chain
if [ "$EXLOG" == "1" ]; then
$IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_TCP DROP ** " --log-tcp-options --log-ip-options
$IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_UDP DROP ** " --log-ip-options
else
$IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_TCP DROP ** "
$IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG --log-prefix "** IN_UDP DROP ** "
fi
fi
c.2- Now we’ll add --log-level=“debug” to tell apf to use syslog facilty with a level of debug. Replace the previous line by these one (or just add --log-level=“debug” as shown here)
if [ "$DROP_LOG" == "1" ]; then
# Default TCP/UDP INPUT log chain
if [ "$EXLOG" == "1" ]; then
$IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** IN_TCP DROP ** " --log-tcp-options --log-ip-options
$IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** IN_UDP DROP ** " --log-ip-options
else
$IPT -A INPUT -p tcp -m limit --limit $LRATE/minute -i $IN_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** IN_TCP DROP ** "
$IPT -A INPUT -p udp -m limit --limit $LRATE/minute -i $IN_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** IN_UDP DROP ** "
fi
fi
d.1- Find just after these line this group of line
if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then
# Default TCP/UDP OUTPUT log chain
if [ "$EXLOG" == "1" ]; then
$IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** " --log-tcp-options --log-ip-options
$IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** " --log-ip-options
else
$IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_TCP DROP ** "
$IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG --log-prefix "** OUT_UDP DROP ** "
fi
fi
d.2 - Replace with these lines or just add --log-level=“debug” as shown here
if [ "$DROP_LOG" == "1" ] && [ "$EGF" == "1" ]; then
# Default TCP/UDP OUTPUT log chain
if [ "$EXLOG" == "1" ]; then
$IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** OUT_TCP DROP ** " --log-tcp-options --log-ip-options
$IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** OUT_UDP DROP ** " --log-ip-options
else
$IPT -A OUTPUT -p tcp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** OUT_TCP DROP ** "
$IPT -A OUTPUT -p udp -m limit --limit $LRATE/minute -o $OUT_IF -j LOG [B]--log-level="debug"[/B] --log-prefix "** OUT_UDP DROP ** "
fi
fi
e- Save the file and quite
1.2 - Tweak the log.rules APF file
a- Backup the file
cp /etc/apf/log.rules /etc/apf/log.rules.save
b- Edit the file
c- find and replace
Find
$IPT -A TELNET_LOG -j LOG --log-prefix "** TELNET ** "
Replace by (or just add --log-level=“debug”)
$IPT -A TELNET_LOG -j LOG [B]--log-level="debug"[/B] --log-prefix "** TELNET ** "
find
$IPT -A SSH_LOG -j LOG --log-prefix "** SSH ** "
Replace (or just add --log-level=“debug”)
$IPT -A SSH_LOG -j LOG [B]--log-level="debug"[/B] --log-prefix "** SSH ** "
That’s it for this STEP1.
After this just follow ALL others from 2 - to end as state in the previous post
Hope it helps