IPFW uid logging...

Dan Mahoney, System Admin danm at prime.gushi.org
Mon Sep 8 20:04:01 UTC 2008

On Mon, 8 Sep 2008, Dan Nelson wrote:

> In the last episode (Sep 08), Dan Mahoney, System Admin said:
>> I have the following rule set up in ipfw to limit the exposure of bad
>> php scripts and trojans that try to send mail directly.
>> allow tcp from any to any dst-port 25 uid root
>> deny log tcp from any to any dst-port 25 out
>> However, the log messages I get look like this:
>> Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP out via em0
>> Sep  8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP out via em0
>> Which is to say, they don't include the UID -- and I have several hundred
>> sites, each with its own UID.
>> Yes, I could go ahead and set up a thousand "deny" rules, one for
>> each UID -- but being able to log this info (since it IS being
>> checked) would be great.
> It should be possible to add a couple more arguments to ipfw_log() so
> that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the
> fw_ugid_cache struct.  Then you can edit ipfw_log to print the contents
> of that struct if ugid_lookup==1.  That would result in the logging of
> uid for any failed packet that had to go through a uid check on the way
> to the deny rule.

Okay, so if it's fairly easy to do, the question would be "since I don't 
feel right hacking in this change myself -- how could I propose this as a 
feature?"  It's not a BUG per-se, but I think it could be useful to others 
as well.



Pika Pika Pika!

-Pikachu, of Pokemon fame.

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the freebsd-questions mailing list