kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules.

Daan Vreeken Daan at vehosting.nl
Tue Sep 9 13:20:05 UTC 2008 

The following reply was made to PR kern/127230; it has been noted by GNATS.

From: Daan Vreeken <Daan at vehosting.nl>
To: freebsd-bugs at freebsd.org, Dan Mahoney <danm at prime.gushi.org>
Cc: FreeBSD-gnats-submit at freebsd.org
Subject: Re: kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules.
Date: Tue, 9 Sep 2008 14:36:42 +0200

 On Tuesday 09 September 2008 08:36:02 Dan Mahoney wrote:
 > >Number:         127230
 > >Category:       kern
 > >Synopsis:       Feature request to add UID and/or GID logging data to ipfw
 > > logging with uid rules. Confidential:   no
 > >Severity:       non-critical
 > >Priority:       medium
 > >Responsible:    freebsd-bugs
 > >State:          open
 > >Quarter:
 > >Keywords:
 > >Date-Required:
 > >Class:          change-request
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Tue Sep 09 07:00:12 UTC 2008
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     Dan Mahoney
 > >Release:        FreeBSD 6.2-PRERELEASE i386
 > >Organization:
 >
 > Gushi Systems
 >
 > >Environment:
 >
 > System: FreeBSD prime.gushi.org 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0:
 > Thu Jan 18 02:05:07 EST 2007
 > danm at prime.gushi.org:/usr/src/sys/i386/compile/PRIME6 i386
 >
 > Note: The system I'm on is 6.2, but this will likely apply to -CURRENT or
 > -STABLE (although a patch for 6.x would be appreciated).
 >
 > I have the following rule set up in ipfw to limit the exposure of bad php
 > scripts and trojans that try to send mail directly.
 >
 > allow tcp from any to any dst-port 25 uid root
 > deny log tcp from any to any dst-port 25 out
 >
 > However, the log messages I get look like this:
 >
 > Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP
 > 72.9.101.130:58117 209.85.133.114:25 out via em0
 > Sep  8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP
 > 72.9.101.130:56672 202.12.31.144:25 out via em0
 >
 > Which is to say, they don't include the UID -- and I have several hundred
 > sites, each with its own UID.
 >
 > Yes, I could go ahead and set up a thousand "deny" rules, one for each UID
 > -- but being able to log this info (since it IS being checked) would be
 > great.
 >
 > >Description:
 > >
 > >How-To-Repeat:
 >
 > Per jeremy chadwick, I am referenceing the following thread on the mailing
 > lists:
 >
 > http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.ht
 >ml
 
 Just for the record :
 I've created two patches (against -HEAD) that implement this which can be 
 found here :
 http://vehosting.nl/pub_diffs/
 
 
 -- 
 Daan Vreeken
 VEHosting
 http://VEHosting.nl
 tel: +31-(0)40-7113050 / +31-(0)6-46210825
 KvK nr: 17174380

More information about the freebsd-ipfw mailing list