From owner-freebsd-hackers@FreeBSD.ORG Tue Sep 9 05:42:01 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B3FC106564A for ; Tue, 9 Sep 2008 05:42:01 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.freebsd.org (Postfix) with ESMTP id E74B08FC15 for ; Tue, 9 Sep 2008 05:42:00 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.3/8.14.3) with ESMTP id m895C0TJ049508 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 9 Sep 2008 00:12:00 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.3/8.14.2/Submit) id m894ocks097506; Mon, 8 Sep 2008 23:50:38 -0500 (CDT) (envelope-from dan) Date: Mon, 8 Sep 2008 23:50:37 -0500 From: Dan Nelson To: Daan Vreeken Message-ID: <20080909045037.GC6629@dan.emsphone.com> References: <20080908185106.GB6629@dan.emsphone.com> <200809090223.46472.Daan@vehosting.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200809090223.46472.Daan@vehosting.nl> X-OS: FreeBSD 7.0-STABLE User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-hackers@freebsd.org, "Dan Mahoney, System Admin" Subject: Re: IPFW uid logging... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 05:42:01 -0000 In the last episode (Sep 09), Daan Vreeken said: > On Monday 08 September 2008 22:03:29 Dan Mahoney, System Admin wrote: > > On Mon, 8 Sep 2008, Dan Nelson wrote: > > > In the last episode (Sep 08), Dan Mahoney, System Admin said: > > >> I have the following rule set up in ipfw to limit the exposure > > >> of bad php scripts and trojans that try to send mail directly. > > >> > > >> allow tcp from any to any dst-port 25 uid root > > >> deny log tcp from any to any dst-port 25 out > > >> > > >> However, the log messages I get look like this: > > >> > > >> Sep 8 13:21:11 prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 > > >> Sep 8 13:21:16 prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0 > > >> > > >> Which is to say, they don't include the UID -- and I have > > >> several hundred sites, each with its own UID. > > >> > > >> Yes, I could go ahead and set up a thousand "deny" rules, one > > >> for each UID -- but being able to log this info (since it IS > > >> being checked) would be great. > > > > > > It should be possible to add a couple more arguments to > > > ipfw_log() so that ipfw_chk() can pass it the ugid_lookup flag > > > and a pointer to the fw_ugid_cache struct. Then you can edit > > > ipfw_log to print the contents of that struct if ugid_lookup==1. > > > That would result in the logging of uid for any failed packet > > > that had to go through a uid check on the way to the deny rule. > > > > Okay, so if it's fairly easy to do, the question would be "since I > > don't feel right hacking in this change myself -- how could I > > propose this as a feature?" It's not a BUG per-se, but I think it > > could be useful to others as well. > > Hi Dan, Dan and the list, > > I own a webhosting company and here too every domain gets it's own > user, so I like this proposal. I've hacked together a first try, > which seems to be working. A patch (against -HEAD) can be found here: > > http://vehosting.nl/pub_diffs/ip_fw2.c_uid_2008_09_09.diff > > Improvements / tips / comments are welcome ;-) I like it. Maybe print gid as well, since there's an ipfw rule for that too. -- Dan Nelson dnelson@allantgroup.com