IPFW uid logging...
Dan Mahoney, System Admin
danm at prime.gushi.org
Mon Sep 8 20:04:01 UTC 2008
On Mon, 8 Sep 2008, Dan Nelson wrote:
> In the last episode (Sep 08), Dan Mahoney, System Admin said:
>> I have the following rule set up in ipfw to limit the exposure of bad
>> php scripts and trojans that try to send mail directly.
>> allow tcp from any to any dst-port 25 uid root
>> deny log tcp from any to any dst-port 25 out
>> However, the log messages I get look like this:
>> Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 18.104.22.168:58117 22.214.171.124:25 out via em0
>> Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 126.96.36.199:56672 188.8.131.52:25 out via em0
>> Which is to say, they don't include the UID -- and I have several hundred
>> sites, each with its own UID.
>> Yes, I could go ahead and set up a thousand "deny" rules, one for
>> each UID -- but being able to log this info (since it IS being
>> checked) would be great.
> It should be possible to add a couple more arguments to ipfw_log() so
> that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the
> fw_ugid_cache struct. Then you can edit ipfw_log to print the contents
> of that struct if ugid_lookup==1. That would result in the logging of
> uid for any failed packet that had to go through a uid check on the way
> to the deny rule.
Okay, so if it's fairly easy to do, the question would be "since I don't
feel right hacking in this change myself -- how could I propose this as a
feature?" It's not a BUG per-se, but I think it could be useful to others
Pika Pika Pika!
-Pikachu, of Pokemon fame.
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the freebsd-hackers