Date: Tue, 9 Sep 2008 02:36:02 -0400 (EDT) From: Dan Mahoney <danm@prime.gushi.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. Message-ID: <200809090636.m896a2XR004149@prime.gushi.org> Resent-Message-ID: <200809090700.m8970Cdw006180@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127230 >Category: kern >Synopsis: Feature request to add UID and/or GID logging data to ipfw logging with uid rules. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Tue Sep 09 07:00:12 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Dan Mahoney >Release: FreeBSD 6.2-PRERELEASE i386 >Organization: Gushi Systems >Environment: System: FreeBSD prime.gushi.org 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0: Thu Jan 18 02:05:07 EST 2007 danm@prime.gushi.org:/usr/src/sys/i386/compile/PRIME6 i386 Note: The system I'm on is 6.2, but this will likely apply to -CURRENT or -STABLE (although a patch for 6.x would be appreciated). I have the following rule set up in ipfw to limit the exposure of bad php scripts and trojans that try to send mail directly. allow tcp from any to any dst-port 25 uid root deny log tcp from any to any dst-port 25 out However, the log messages I get look like this: Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0 Which is to say, they don't include the UID -- and I have several hundred sites, each with its own UID. Yes, I could go ahead and set up a thousand "deny" rules, one for each UID -- but being able to log this info (since it IS being checked) would be great. >Description: >How-To-Repeat: Per jeremy chadwick, I am referenceing the following thread on the mailing lists: http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.html >Fix: Pray this gets included :) >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809090636.m896a2XR004149>