Two feature suggestions for pf..

[security at revolutionsp.com]

Hi,

I hope this is the right place to discuss this.. I've had a couple of
features that I think would fit nicely in pf, but only now I'm sending
this email..

First of all, I believe pf is the best firewall around, I've been using it
since there was a port available to FreeBSD :-). Also, sorry if this was
previously discussed as I did not check the archives.

Here are my two proposed features for pf:

1) Add the username of the blocked packet to the pf log. Currently, it's
hard to trace an outgoing blocked packet to a username unless you're
watching real-time. For example:

2005-01-11 03:03:40.777286 rule 92/0(match): block out on em0: IP
xxx.xxx.xxx.xxx.59167 > zzz.zzz.zzz.zzz.6667: FP 0:24(24) ack 1 win 32832
<nop,nop,timestamp 21705093 1375749783>

I think the username that triggered the rule would fit really nicely and
would be really handy.. like this:

2005-01-11 03:03:40.777286 rule 92/0(match): block out on em0: IP
xxx.xxx.xxx.xxx.59167 > zzz.zzz.zzz.zzz.6667: FP 0:24(24) ack 1 win 32832
<nop,nop,timestamp 21705093 1375749783> user UserName

This would greatly reduce the time needed to find someone abusing the
firewall from inside the system, for example trying to portscan someone
and most of the packets hitting the firewall.. This shouldn't be too hard
to implement.

2) Different blocked traffic goes to different logfiles

My other idea is based on the following concept.. Normally your server
sits there, serving requests etc, blocks some scans on the firewall,
random bruteforce attacks, and so on. But, if unfornately your server is a
target of a DDoS attack, then all the attack log will be with the rest of
the junk your server receives. Altough not impossible, filtering the log
to obtain only the DDoS attack log for analysis still takes it's time. My
suggestion is: Why not allow a directive on pf.conf that let's you specify
to which logfile that rule should be logged to ? Using this model, you
could set up some rules aimed at blocking traffic, but then the logging
will be on it's own, private, separate file. You could set up several
rules you know will never be matched unless there is an attempt to attack
the server (etc), and, when matched, they'll be easily available on a
(possibly) small logfile, instead of the geral, big big log.
This also helps a lot tracking failed attack attempts, each on it's own
log.. thus cutting down the time one needs to find any blocked packets in
the logs: You always know it will be in file A,B,C..

Again, if these have already been discussed in the past, I'm sorry. If
not, please give some feedback.