From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 9 00:43:45 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E5E981065741 for ; Tue, 9 Sep 2008 00:43:45 +0000 (UTC) (envelope-from Daan@vehosting.nl) Received: from VM01.VEHosting.nl (vm01.vehosting.nl [85.17.51.140]) by mx1.freebsd.org (Postfix) with ESMTP id 685EE8FC1A for ; Tue, 9 Sep 2008 00:43:45 +0000 (UTC) (envelope-from Daan@vehosting.nl) Received: from [192.168.45.10] (dhcp-077-250-050-082.chello.nl [77.250.50.82]) (authenticated bits=0) by VM01.VEHosting.nl (8.13.8/8.13.8) with ESMTP id m890Nu56075806; Tue, 9 Sep 2008 02:23:56 +0200 (CEST) (envelope-from Daan@vehosting.nl) From: Daan Vreeken Organization: VEHosting - Vitsch Electronics To: freebsd-hackers@freebsd.org Date: Tue, 9 Sep 2008 02:23:45 +0200 User-Agent: KMail/1.9.7 References: <20080908185106.GB6629@dan.emsphone.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809090223.46472.Daan@vehosting.nl> x-ve-auth-version: mi-1.0.3 2008-05-30 - Copyright (c) 2008 - Daan Vreeken - VEHosting x-ve-auth: authenticated as 'pa4dan' on VM01.Vitsch.net X-Mailman-Approved-At: Tue, 09 Sep 2008 01:20:56 +0000 Cc: "Dan Mahoney, System Admin" , Dan Nelson Subject: Re: IPFW uid logging... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 00:43:46 -0000 Hi Dan, Dan and the list, On Monday 08 September 2008 22:03:29 Dan Mahoney, System Admin wrote: > On Mon, 8 Sep 2008, Dan Nelson wrote: > > In the last episode (Sep 08), Dan Mahoney, System Admin said: > >> I have the following rule set up in ipfw to limit the exposure of bad > >> php scripts and trojans that try to send mail directly. > >> > >> allow tcp from any to any dst-port 25 uid root > >> deny log tcp from any to any dst-port 25 out > >> > >> However, the log messages I get look like this: > >> > >> Sep 8 13:21:11 prime kernel: ipfw: 610 Deny TCP > >> 72.9.101.130:58117 209.85.133.114:25 out via em0 Sep 8 13:21:16 > >> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 > >> 202.12.31.144:25 out via em0 > >> > >> Which is to say, they don't include the UID -- and I have several > >> hundred sites, each with its own UID. > >> > >> Yes, I could go ahead and set up a thousand "deny" rules, one for > >> each UID -- but being able to log this info (since it IS being > >> checked) would be great. > > > > It should be possible to add a couple more arguments to ipfw_log() so > > that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the > > fw_ugid_cache struct. Then you can edit ipfw_log to print the contents > > of that struct if ugid_lookup==1. That would result in the logging of > > uid for any failed packet that had to go through a uid check on the way > > to the deny rule. > > Okay, so if it's fairly easy to do, the question would be "since I don't > feel right hacking in this change myself -- how could I propose this as a > feature?" It's not a BUG per-se, but I think it could be useful to others > as well. I own a webhosting company and here too every domain gets it's own user, so I like this proposal. I've hacked together a first try, which seems to be working. A patch (against -HEAD) can be found here : http://vehosting.nl/pub_diffs/ip_fw2.c_uid_2008_09_09.diff Improvements / tips / comments are welcome ;-) -- Daan Vreeken VEHosting http://VEHosting.nl tel: +31-(0)40-7113050 / +31-(0)6-46210825 KvK nr: 17174380