Date: Tue, 9 Sep 2008 09:58:34 +0200 From: Daan Vreeken <Daan@vehosting.nl> To: freebsd-hackers@freebsd.org Cc: "Dan Mahoney, System Admin" <danm@prime.gushi.org>, Dan Nelson <dnelson@allantgroup.com> Subject: Re: IPFW uid logging... Message-ID: <200809090958.35448.Daan@vehosting.nl> In-Reply-To: <20080909045037.GC6629@dan.emsphone.com> References: <alpine.BSF.2.00.0809081110480.63702@prime.gushi.org> <200809090223.46472.Daan@vehosting.nl> <20080909045037.GC6629@dan.emsphone.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 09 September 2008 06:50:37 Dan Nelson wrote: > In the last episode (Sep 09), Daan Vreeken said: > > On Monday 08 September 2008 22:03:29 Dan Mahoney, System Admin wrote: > > > On Mon, 8 Sep 2008, Dan Nelson wrote: > > > > In the last episode (Sep 08), Dan Mahoney, System Admin said: > > > >> I have the following rule set up in ipfw to limit the exposure > > > >> of bad php scripts and trojans that try to send mail directly. > > > >> > > > >> allow tcp from any to any dst-port 25 uid root > > > >> deny log tcp from any to any dst-port 25 out > > > >> > > > >> However, the log messages I get look like this: > > > >> > > > >> Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP > > > >> 72.9.101.130:58117 209.85.133.114:25 out via em0 Sep 8 13:21:16 > > > >> <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 > > > >> 202.12.31.144:25 out via em0 > > > >> > > > >> Which is to say, they don't include the UID -- and I have > > > >> several hundred sites, each with its own UID. > > > >> > > > >> Yes, I could go ahead and set up a thousand "deny" rules, one > > > >> for each UID -- but being able to log this info (since it IS > > > >> being checked) would be great. > > > > > > > > It should be possible to add a couple more arguments to > > > > ipfw_log() so that ipfw_chk() can pass it the ugid_lookup flag > > > > and a pointer to the fw_ugid_cache struct. Then you can edit > > > > ipfw_log to print the contents of that struct if ugid_lookup==1. > > > > That would result in the logging of uid for any failed packet > > > > that had to go through a uid check on the way to the deny rule. > > > > > > Okay, so if it's fairly easy to do, the question would be "since I > > > don't feel right hacking in this change myself -- how could I > > > propose this as a feature?" It's not a BUG per-se, but I think it > > > could be useful to others as well. > > > > Hi Dan, Dan and the list, > > > > I own a webhosting company and here too every domain gets it's own > > user, so I like this proposal. I've hacked together a first try, > > which seems to be working. A patch (against -HEAD) can be found here: > > > > http://vehosting.nl/pub_diffs/ip_fw2.c_uid_2008_09_09.diff > > > > Improvements / tips / comments are welcome ;-) > > I like it. Maybe print gid as well, since there's an ipfw rule for > that too. I intentionally left printing the gid out, since a user can be in up to NGROUPS_MAX groups. We could of course only show the one gid that matched... The following (only compile-tested) patch tries to implement that : http://vehosting.nl/pub_diffs/ip_fw2.c_uid_2008_09_09_2.diff I'm not really sure which patch I liked best. The first patch missed a check against (ugid_lookup == -1) though. -- Daan Vreeken VEHosting http://VEHosting.nl tel: +31-(0)40-7113050 / +31-(0)6-46210825 KvK nr: 17174380
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809090958.35448.Daan>