Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Sep 2008 14:36:42 +0200
From:      Daan Vreeken <Daan@vehosting.nl>
To:        freebsd-bugs@freebsd.org, Dan Mahoney <danm@prime.gushi.org>
Cc:        FreeBSD-gnats-submit@freebsd.org
Subject:   Re: kern/127230: Feature request to add UID and/or GID logging data to ipfw logging with uid rules.
Message-ID:  <200809091436.43128.Daan@vehosting.nl>
In-Reply-To: <200809090636.m896a2XR004149@prime.gushi.org>
References:  <200809090636.m896a2XR004149@prime.gushi.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 09 September 2008 08:36:02 Dan Mahoney wrote:
> >Number:         127230
> >Category:       kern
> >Synopsis:       Feature request to add UID and/or GID logging data to ipfw
> > logging with uid rules. Confidential:   no
> >Severity:       non-critical
> >Priority:       medium
> >Responsible:    freebsd-bugs
> >State:          open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class:          change-request
> >Submitter-Id:   current-users
> >Arrival-Date:   Tue Sep 09 07:00:12 UTC 2008
> >Closed-Date:
> >Last-Modified:
> >Originator:     Dan Mahoney
> >Release:        FreeBSD 6.2-PRERELEASE i386
> >Organization:
>
> Gushi Systems
>
> >Environment:
>
> System: FreeBSD prime.gushi.org 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #0:
> Thu Jan 18 02:05:07 EST 2007
> danm@prime.gushi.org:/usr/src/sys/i386/compile/PRIME6 i386
>
> Note: The system I'm on is 6.2, but this will likely apply to -CURRENT or
> -STABLE (although a patch for 6.x would be appreciated).
>
> I have the following rule set up in ipfw to limit the exposure of bad php
> scripts and trojans that try to send mail directly.
>
> allow tcp from any to any dst-port 25 uid root
> deny log tcp from any to any dst-port 25 out
>
> However, the log messages I get look like this:
>
> Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP
> 72.9.101.130:58117 209.85.133.114:25 out via em0
> Sep  8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP
> 72.9.101.130:56672 202.12.31.144:25 out via em0
>
> Which is to say, they don't include the UID -- and I have several hundred
> sites, each with its own UID.
>
> Yes, I could go ahead and set up a thousand "deny" rules, one for each UID
> -- but being able to log this info (since it IS being checked) would be
> great.
>
> >Description:
> >
> >How-To-Repeat:
>
> Per jeremy chadwick, I am referenceing the following thread on the mailing
> lists:
>
> http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.ht
>ml

Just for the record :
I've created two patches (against -HEAD) that implement this which can be 
found here :
http://vehosting.nl/pub_diffs/


-- 
Daan Vreeken
VEHosting
http://VEHosting.nl
tel: +31-(0)40-7113050 / +31-(0)6-46210825
KvK nr: 17174380



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200809091436.43128.Daan>