Date: Tue, 9 Sep 2008 14:36:42 +0200 From: Daan Vreeken <Daan@vehosting.nl> To: freebsd-bugs@freebsd.org, Dan Mahoney <danm@prime.gushi.org> Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. Message-ID: <200809091436.43128.Daan@vehosting.nl> In-Reply-To: <200809090636.m896a2XR004149@prime.gushi.org> References: <200809090636.m896a2XR004149@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 09 September 2008 08:36:02 Dan Mahoney wrote: > >Number: 127230 > >Category: kern > >Synopsis: Feature request to add UID and/or GID logging data to ipfw > > logging with uid rules. Confidential: no > >Severity: non-critical > >Priority: medium > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: change-request > >Submitter-Id: current-users > >Arrival-Date: Tue Sep 09 07:00:12 UTC 2008 > >Closed-Date: > >Last-Modified: > >Originator: Dan Mahoney > >Release: FreeBSD 6.2-PRERELEASE i386 > >Organization: > > Gushi Systems > > >Environment: > > System: FreeBSD prime.gushi.org 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: > Thu Jan 18 02:05:07 EST 2007 > danm@prime.gushi.org:/usr/src/sys/i386/compile/PRIME6 i386 > > Note: The system I'm on is 6.2, but this will likely apply to -CURRENT or > -STABLE (although a patch for 6.x would be appreciated). > > I have the following rule set up in ipfw to limit the exposure of bad php > scripts and trojans that try to send mail directly. > > allow tcp from any to any dst-port 25 uid root > deny log tcp from any to any dst-port 25 out > > However, the log messages I get look like this: > > Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP > 72.9.101.130:58117 209.85.133.114:25 out via em0 > Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP > 72.9.101.130:56672 202.12.31.144:25 out via em0 > > Which is to say, they don't include the UID -- and I have several hundred > sites, each with its own UID. > > Yes, I could go ahead and set up a thousand "deny" rules, one for each UID > -- but being able to log this info (since it IS being checked) would be > great. > > >Description: > > > >How-To-Repeat: > > Per jeremy chadwick, I am referenceing the following thread on the mailing > lists: > > http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.ht >ml Just for the record : I've created two patches (against -HEAD) that implement this which can be found here : http://vehosting.nl/pub_diffs/ -- Daan Vreeken VEHosting http://VEHosting.nl tel: +31-(0)40-7113050 / +31-(0)6-46210825 KvK nr: 17174380
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809091436.43128.Daan>