From owner-freebsd-bugs@FreeBSD.ORG Tue Sep 9 13:13:41 2008 Return-Path: Delivered-To: freebsd-bugs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 59047106566C; Tue, 9 Sep 2008 13:13:41 +0000 (UTC) (envelope-from Daan@vehosting.nl) Received: from VM01.VEHosting.nl (vm01.vehosting.nl [85.17.51.140]) by mx1.freebsd.org (Postfix) with ESMTP id D01E18FC13; Tue, 9 Sep 2008 13:13:40 +0000 (UTC) (envelope-from Daan@vehosting.nl) Received: from [192.168.72.10] (124-54.bbned.dsl.internl.net [92.254.54.124]) (authenticated bits=0) by VM01.VEHosting.nl (8.13.8/8.13.8) with ESMTP id m89CaoVa094468; Tue, 9 Sep 2008 14:36:50 +0200 (CEST) (envelope-from Daan@vehosting.nl) From: Daan Vreeken Organization: VEHosting - Vitsch Electronics To: freebsd-bugs@freebsd.org, Dan Mahoney Date: Tue, 9 Sep 2008 14:36:42 +0200 User-Agent: KMail/1.9.7 References: <200809090636.m896a2XR004149@prime.gushi.org> In-Reply-To: <200809090636.m896a2XR004149@prime.gushi.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809091436.43128.Daan@vehosting.nl> x-ve-auth-version: mi-1.0.3 2008-05-30 - Copyright (c) 2008 - Daan Vreeken - VEHosting x-ve-auth: authenticated as 'pa4dan' on VM01.Vitsch.net Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 13:13:41 -0000 On Tuesday 09 September 2008 08:36:02 Dan Mahoney wrote: > >Number: 127230 > >Category: kern > >Synopsis: Feature request to add UID and/or GID logging data to ipfw > > logging with uid rules. Confidential: no > >Severity: non-critical > >Priority: medium > >Responsible: freebsd-bugs > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: change-request > >Submitter-Id: current-users > >Arrival-Date: Tue Sep 09 07:00:12 UTC 2008 > >Closed-Date: > >Last-Modified: > >Originator: Dan Mahoney > >Release: FreeBSD 6.2-PRERELEASE i386 > >Organization: > > Gushi Systems > > >Environment: > > System: FreeBSD prime.gushi.org 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: > Thu Jan 18 02:05:07 EST 2007 > danm@prime.gushi.org:/usr/src/sys/i386/compile/PRIME6 i386 > > Note: The system I'm on is 6.2, but this will likely apply to -CURRENT or > -STABLE (although a patch for 6.x would be appreciated). > > I have the following rule set up in ipfw to limit the exposure of bad php > scripts and trojans that try to send mail directly. > > allow tcp from any to any dst-port 25 uid root > deny log tcp from any to any dst-port 25 out > > However, the log messages I get look like this: > > Sep 8 13:21:11 prime kernel: ipfw: 610 Deny TCP > 72.9.101.130:58117 209.85.133.114:25 out via em0 > Sep 8 13:21:16 prime kernel: ipfw: 610 Deny TCP > 72.9.101.130:56672 202.12.31.144:25 out via em0 > > Which is to say, they don't include the UID -- and I have several hundred > sites, each with its own UID. > > Yes, I could go ahead and set up a thousand "deny" rules, one for each UID > -- but being able to log this info (since it IS being checked) would be > great. > > >Description: > > > >How-To-Repeat: > > Per jeremy chadwick, I am referenceing the following thread on the mailing > lists: > > http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.ht >ml Just for the record : I've created two patches (against -HEAD) that implement this which can be found here : http://vehosting.nl/pub_diffs/ -- Daan Vreeken VEHosting http://VEHosting.nl tel: +31-(0)40-7113050 / +31-(0)6-46210825 KvK nr: 17174380