HP-UX IPFilter V18.0 Administrator Guide for HP-UX 11i v3
The valid values for facility are:
mailuserkern
syslogauthdaemon
uucpnewslpr
authprivftpcron
local0logalertaudit
local3local2local1
local6local5local4
local7
The valid values for priority are:
critalertemerg
noticewarnerr
debuginfo
Example:
block in log level auth.info quick on lan0 from 20.20.20.0/24 to any
block in log level auth.alert quick on lan0 proto tcp from any to 20.20.20.0/24 port = 21
9.3.1.2 first
You can use the first option with the log keyword to log only the first instance of a certain type
of packet. For example, it might not be important to log 500 attempts to probe your telnet port
from one source. It is a good idea to log the first attempt, however.
The first option only applies to packets in a specific session. You can use the first option to
monitor traffic on your system. For best results, use the first option in conjunction with rules that use
pass and keep state.
Example:
pass in log first proto tcp from any to any flags S keep state
9.3.1.3 body
You can use the body option with the log keyword to track parts of an IP packet in addition to
the packet header information. IPFilter logs the first 128 bytes of a packet if the body option is
specified. For example:
block in log body proto tcp from 192.168.1.1 to any flags S keep state
NOTE: Using the body option with the log keyword can make your log files very long. Limit the
use of the body option to necessary instances.
9.3.2 Using ipmon to view IPFilter log entries
The ipmon utility displays IPFilter log entries. To configure IPFilter to create log entries, specify the
log keyword in IPFilter rules, as described in Section 9.3.1 (page 61). The ipmon utility can also
display the state table log, the NAT log, or any combination of these three. You can run ipmon in
the foreground or as a daemon that logs to syslog or a file.
Log files include both IPv4 and IPv6 log records, ordered according to the time IPFilter receives
the packets.
62 Troubleshooting HP-UX IPFilter