Date: Fri, 31 Oct 2008 06:49:02 -0400 (EDT) From: "Dennis Mathiasen" <dennis@deerfieldhosting.com> To: "freebsd-isp@freebsd.org" <freebsd-isp@freebsd.org> Subject: PF firewall and user logging Message-ID: <59140.10.0.0.6.1225450142.squirrel@main.here>
next in thread | raw e-mail | index | archive | help
Hi,
On a 7.1-PRERELEASE amd64 system using the pf firewall I am attempting to get
user logging working with a lines like this:
pass out quick on em0 proto tcp from any to <http_out> port { 80, 443 } queue www
block out quick log (user, to pflog0) on em0 proto tcp from any to any port 80
Some outbound connections need to be allowed (like twitter.com, akismet.com,
etc.) but most should not be.
The problem is that no user information is included in the log. I found posts
suggesting that tcpdump -n -e -v -r /var/log/pflog should show userid
information, but it doesn't. Nor does -vv or -vvv.
Because our customers are frequently lazy about updating php based software
their sites occasionally get compromised. While I can eventually locate the
problem user, it can take time. Sometimes the criminals who do this stuff are
smart about it and only run their scripts sporadically making this very
difficult.
Has anyone run into this and found a solution? Am I missing something?
Thanks!
Dennis Mathiasen
dennis@deerfieldhosting.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59140.10.0.0.6.1225450142.squirrel>