PF firewall and user logging
Dennis Mathiasen
dennis at deerfieldhosting.com
Fri Oct 31 04:31:22 PDT 2008
Hi,
On a 7.1-PRERELEASE amd64 system using the pf firewall I am attempting to get
user logging working with a lines like this:
pass out quick on em0 proto tcp from any to <http_out> port { 80, 443 } queue www
block out quick log (user, to pflog0) on em0 proto tcp from any to any port 80
Some outbound connections need to be allowed (like twitter.com, akismet.com,
etc.) but most should not be.
The problem is that no user information is included in the log. I found posts
suggesting that tcpdump -n -e -v -r /var/log/pflog should show userid
information, but it doesn't. Nor does -vv or -vvv.
Because our customers are frequently lazy about updating php based software
their sites occasionally get compromised. While I can eventually locate the
problem user, it can take time. Sometimes the criminals who do this stuff are
smart about it and only run their scripts sporadically making this very
difficult.
Has anyone run into this and found a solution? Am I missing something?
Thanks!
Dennis Mathiasen
dennis at deerfieldhosting.com
More information about the freebsd-isp
mailing list