IPFW uid logging...

Jeremy Chadwick koitsu at FreeBSD.org
Tue Sep 9 00:58:41 UTC 2008 

On Mon, Sep 08, 2008 at 04:03:29PM -0400, Dan Mahoney, System Admin wrote:
> On Mon, 8 Sep 2008, Dan Nelson wrote:
>
>> In the last episode (Sep 08), Dan Mahoney, System Admin said:
>>> I have the following rule set up in ipfw to limit the exposure of bad
>>> php scripts and trojans that try to send mail directly.
>>>
>>> allow tcp from any to any dst-port 25 uid root
>>> deny log tcp from any to any dst-port 25 out
>>>
>>> However, the log messages I get look like this:
>>>
>>> Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0
>>> Sep  8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0
>>>
>>> Which is to say, they don't include the UID -- and I have several hundred
>>> sites, each with its own UID.
>>>
>>> Yes, I could go ahead and set up a thousand "deny" rules, one for
>>> each UID -- but being able to log this info (since it IS being
>>> checked) would be great.
>>
>> It should be possible to add a couple more arguments to ipfw_log() so
>> that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the
>> fw_ugid_cache struct.  Then you can edit ipfw_log to print the contents
>> of that struct if ugid_lookup==1.  That would result in the logging of
>> uid for any failed packet that had to go through a uid check on the way
>> to the deny rule.
>
> Okay, so if it's fairly easy to do, the question would be "since I don't  
> feel right hacking in this change myself -- how could I propose this as a 
> feature?"  It's not a BUG per-se, but I think it could be useful to 
> others as well.

send-pr it.  Category=kern, Class=change-request.

Reference this thread in the Fix section:

http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.html

FWIW, I think it's also a good idea.  The output formatting of the log
line might need to be adjusted "carefully" though, since any programs
which grep on a very strict regex will start failing.  I'm inclined
to recommend the string ", UID xxx" be appended to the existing string,
e.g.

Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0, UID 6592

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

More information about the freebsd-questions mailing list