From owner-freebsd-hackers@FreeBSD.ORG  Mon Sep  8 17:55:54 2008
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8D0C3106566B;
	Mon,  8 Sep 2008 17:55:54 +0000 (UTC)
	(envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (prime.gushi.org [72.9.101.130])
	by mx1.freebsd.org (Postfix) with ESMTP id 2EF728FC13;
	Mon,  8 Sep 2008 17:55:53 +0000 (UTC)
	(envelope-from danm@prime.gushi.org)
Received: from prime.gushi.org (localhost [127.0.0.1])
	by prime.gushi.org (8.14.1/8.14.1) with ESMTP id m88HS5tH090981
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 8 Sep 2008 13:28:11 -0400 (EDT)
	(envelope-from danm@prime.gushi.org)
X-DKIM: Sendmail DKIM Filter v2.7.2 prime.gushi.org m88HS5tH090981
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=prime.gushi.org;
	s=primegushiorg; t=1220877424; bh=COAKehMcyCDURsP/uRejHTxmDz8yiPNEM
	u5lzAsLYD4=; h=Date:From:To:Subject:Message-ID:MIME-Version:
	Content-Type; b=kDpyEHc2/RPiWVKT7RS5BWNlrv6JAwS70woOx1wWUfuP65mb8I
	sv3CjZShNb7JhV6zXh5avOV6pc/Uz0uefiCQ==
X-DomainKeys: Sendmail DomainKeys Filter v1.0.0 prime.gushi.org m88HS5tH090981
DomainKey-Signature: a=rsa-sha1; s=primegushiorg; d=prime.gushi.org; c=nofws;
	q=dns; 
	h=received:date:from:to:subject:message-id:user-agent:
	mime-version:content-type;
	b=lrxFPzl/pFhIOqcY6HcRzIz+xDICPgCawK1oqAbtMfNqxOXYghjc0g6zZIo1/rPEH
	orWs7STvaCBXVx846DveQ==
Received: (from danm@localhost)
	by prime.gushi.org (8.14.1/8.13.8/Submit) id m88HRxMa090855;
	Mon, 8 Sep 2008 13:27:59 -0400 (EDT) (envelope-from danm)
Date: Mon, 8 Sep 2008 13:27:59 -0400 (EDT)
From: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
To: hackers@freebsd.org, questions@freebsd.org
Message-ID: <alpine.BSF.2.00.0809081110480.63702@prime.gushi.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(prime.gushi.org [127.0.0.1]);
	Mon, 08 Sep 2008 12:37:04 +0000 (UTC)
X-Mailman-Approved-At: Mon, 08 Sep 2008 18:13:48 +0000
Cc: 
Subject: IPFW uid logging...
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Sep 2008 17:55:54 -0000

Hey all,

I have the following rule set up in ipfw to limit the exposure of bad php 
scripts and trojans that try to send mail directly.

allow tcp from any to any dst-port 25 uid root
deny log tcp from any to any dst-port 25 out

However, the log messages I get look like this:

Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:58117 209.85.133.114:25 out via em0
Sep  8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:56672 202.12.31.144:25 out via em0
Sep  8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:58131 209.85.133.27:25 out via em0
Sep  8 13:21:28 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:58117 209.85.133.114:25 out via em0
Sep  8 13:21:32 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:58131 209.85.133.27:25 out via em0
Sep  8 13:22:45 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:65313 64.202.166.12:25 out via em0
Sep  8 13:22:45 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:65313 64.202.166.12:25 out via em0
Sep  8 13:22:46 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:65313 64.202.166.12:25 out via em0
Sep  8 13:22:49 <security.info> prime kernel: ipfw: 610 Deny TCP 
72.9.101.130:65313 64.202.166.12:25 out via em0

Which is to say, they don't include the UID -- and I have several hundred 
sites, each with its own UID.

Yes, I could go ahead and set up a thousand "deny" rules, one for each UID 
-- but being able to log this info (since it IS being checked) would be 
great.

Thoughts?

-Dan Mahoney

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------