IPFW uid logging...
Dan Nelson
dnelson at allantgroup.com
Mon Sep 8 19:41:50 UTC 2008
In the last episode (Sep 08), Dan Mahoney, System Admin said:
> I have the following rule set up in ipfw to limit the exposure of bad
> php scripts and trojans that try to send mail directly.
>
> allow tcp from any to any dst-port 25 uid root
> deny log tcp from any to any dst-port 25 out
>
> However, the log messages I get look like this:
>
> Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0
> Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0
>
> Which is to say, they don't include the UID -- and I have several hundred
> sites, each with its own UID.
>
> Yes, I could go ahead and set up a thousand "deny" rules, one for
> each UID -- but being able to log this info (since it IS being
> checked) would be great.
It should be possible to add a couple more arguments to ipfw_log() so
that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the
fw_ugid_cache struct. Then you can edit ipfw_log to print the contents
of that struct if ugid_lookup==1. That would result in the logging of
uid for any failed packet that had to go through a uid check on the way
to the deny rule.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-hackers
mailing list