Date: Mon, 8 Sep 2008 17:42:39 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: "Dan Mahoney, System Admin" <danm@prime.gushi.org> Cc: hackers@freebsd.org, Dan Nelson <dnelson@allantgroup.com>, questions@freebsd.org Subject: Re: IPFW uid logging... Message-ID: <20080909004239.GA82283@icarus.home.lan> In-Reply-To: <alpine.BSF.2.00.0809081559490.71254@prime.gushi.org> References: <alpine.BSF.2.00.0809081110480.63702@prime.gushi.org> <20080908185106.GB6629@dan.emsphone.com> <alpine.BSF.2.00.0809081559490.71254@prime.gushi.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 08, 2008 at 04:03:29PM -0400, Dan Mahoney, System Admin wrote: > On Mon, 8 Sep 2008, Dan Nelson wrote: > >> In the last episode (Sep 08), Dan Mahoney, System Admin said: >>> I have the following rule set up in ipfw to limit the exposure of bad >>> php scripts and trojans that try to send mail directly. >>> >>> allow tcp from any to any dst-port 25 uid root >>> deny log tcp from any to any dst-port 25 out >>> >>> However, the log messages I get look like this: >>> >>> Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 >>> Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0 >>> >>> Which is to say, they don't include the UID -- and I have several hundred >>> sites, each with its own UID. >>> >>> Yes, I could go ahead and set up a thousand "deny" rules, one for >>> each UID -- but being able to log this info (since it IS being >>> checked) would be great. >> >> It should be possible to add a couple more arguments to ipfw_log() so >> that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the >> fw_ugid_cache struct. Then you can edit ipfw_log to print the contents >> of that struct if ugid_lookup==1. That would result in the logging of >> uid for any failed packet that had to go through a uid check on the way >> to the deny rule. > > Okay, so if it's fairly easy to do, the question would be "since I don't > feel right hacking in this change myself -- how could I propose this as a > feature?" It's not a BUG per-se, but I think it could be useful to > others as well. send-pr it. Category=kern, Class=change-request. Reference this thread in the Fix section: http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.html FWIW, I think it's also a good idea. The output formatting of the log line might need to be adjusted "carefully" though, since any programs which grep on a very strict regex will start failing. I'm inclined to recommend the string ", UID xxx" be appended to the existing string, e.g. Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0, UID 6592 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080909004239.GA82283>