Date: Mon, 8 Sep 2008 13:51:06 -0500 From: Dan Nelson <dnelson@allantgroup.com> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org> Cc: hackers@freebsd.org, questions@freebsd.org Subject: Re: IPFW uid logging... Message-ID: <20080908185106.GB6629@dan.emsphone.com> In-Reply-To: <alpine.BSF.2.00.0809081110480.63702@prime.gushi.org> References: <alpine.BSF.2.00.0809081110480.63702@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In the last episode (Sep 08), Dan Mahoney, System Admin said: > I have the following rule set up in ipfw to limit the exposure of bad > php scripts and trojans that try to send mail directly. > > allow tcp from any to any dst-port 25 uid root > deny log tcp from any to any dst-port 25 out > > However, the log messages I get look like this: > > Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 > Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0 > > Which is to say, they don't include the UID -- and I have several hundred > sites, each with its own UID. > > Yes, I could go ahead and set up a thousand "deny" rules, one for > each UID -- but being able to log this info (since it IS being > checked) would be great. It should be possible to add a couple more arguments to ipfw_log() so that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the fw_ugid_cache struct. Then you can edit ipfw_log to print the contents of that struct if ugid_lookup==1. That would result in the logging of uid for any failed packet that had to go through a uid check on the way to the deny rule. -- Dan Nelson dnelson@allantgroup.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080908185106.GB6629>