From owner-freebsd-questions@FreeBSD.ORG  Tue Sep  9 00:58:41 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DB5B01065674
	for <questions@freebsd.org>; Tue,  9 Sep 2008 00:58:41 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from QMTA01.emeryville.ca.mail.comcast.net
	(qmta01.emeryville.ca.mail.comcast.net [76.96.30.16])
	by mx1.freebsd.org (Postfix) with ESMTP id BDD868FC26
	for <questions@freebsd.org>; Tue,  9 Sep 2008 00:58:41 +0000 (UTC)
	(envelope-from jdc@koitsu.dyndns.org)
Received: from OMTA11.emeryville.ca.mail.comcast.net ([76.96.30.36])
	by QMTA01.emeryville.ca.mail.comcast.net with comcast
	id CKa51a0090mlR8UA1QihBf; Tue, 09 Sep 2008 00:42:41 +0000
Received: from koitsu.dyndns.org ([67.180.253.227])
	by OMTA11.emeryville.ca.mail.comcast.net with comcast
	id CQif1a00C4v8bD78XQighF; Tue, 09 Sep 2008 00:42:40 +0000
X-Authority-Analysis: v=1.0 c=1 a=6I5d2MoRAAAA:8 a=QycZ5dHgAAAA:8
	a=xoyE5_GXF_tzVR8gcjMA:9 a=_q_A6HagQHOpviBBsZoA:7
	a=DZvys8ATxA-CsvyVMVC_WsGj0FMA:4 a=EoioJ0NPDVgA:10 a=9jdOw6BcRw0A:10
	a=LY0hPdMaydYA:10
Received: by icarus.home.lan (Postfix, from userid 1000)
	id 8B01017B84E; Mon,  8 Sep 2008 17:42:39 -0700 (PDT)
Date: Mon, 8 Sep 2008 17:42:39 -0700
From: Jeremy Chadwick <koitsu@FreeBSD.org>
To: "Dan Mahoney, System Admin" <danm@prime.gushi.org>
Message-ID: <20080909004239.GA82283@icarus.home.lan>
References: <alpine.BSF.2.00.0809081110480.63702@prime.gushi.org>
	<20080908185106.GB6629@dan.emsphone.com>
	<alpine.BSF.2.00.0809081559490.71254@prime.gushi.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.BSF.2.00.0809081559490.71254@prime.gushi.org>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: hackers@freebsd.org, Dan Nelson <dnelson@allantgroup.com>,
	questions@freebsd.org
Subject: Re: IPFW uid logging...
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Sep 2008 00:58:41 -0000

On Mon, Sep 08, 2008 at 04:03:29PM -0400, Dan Mahoney, System Admin wrote:
> On Mon, 8 Sep 2008, Dan Nelson wrote:
>
>> In the last episode (Sep 08), Dan Mahoney, System Admin said:
>>> I have the following rule set up in ipfw to limit the exposure of bad
>>> php scripts and trojans that try to send mail directly.
>>>
>>> allow tcp from any to any dst-port 25 uid root
>>> deny log tcp from any to any dst-port 25 out
>>>
>>> However, the log messages I get look like this:
>>>
>>> Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0
>>> Sep  8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0
>>>
>>> Which is to say, they don't include the UID -- and I have several hundred
>>> sites, each with its own UID.
>>>
>>> Yes, I could go ahead and set up a thousand "deny" rules, one for
>>> each UID -- but being able to log this info (since it IS being
>>> checked) would be great.
>>
>> It should be possible to add a couple more arguments to ipfw_log() so
>> that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the
>> fw_ugid_cache struct.  Then you can edit ipfw_log to print the contents
>> of that struct if ugid_lookup==1.  That would result in the logging of
>> uid for any failed packet that had to go through a uid check on the way
>> to the deny rule.
>
> Okay, so if it's fairly easy to do, the question would be "since I don't  
> feel right hacking in this change myself -- how could I propose this as a 
> feature?"  It's not a BUG per-se, but I think it could be useful to 
> others as well.

send-pr it.  Category=kern, Class=change-request.

Reference this thread in the Fix section:

http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.html

FWIW, I think it's also a good idea.  The output formatting of the log
line might need to be adjusted "carefully" though, since any programs
which grep on a very strict regex will start failing.  I'm inclined
to recommend the string ", UID xxx" be appended to the existing string,
e.g.

Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0, UID 6592

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |