From owner-freebsd-pf@FreeBSD.ORG Thu Jan 13 22:33:14 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9288D16A4CE for ; Thu, 13 Jan 2005 22:33:14 +0000 (GMT) Received: from mail.revolutionsp.com (ganymede.revolutionsp.com [64.246.0.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47F6743D39 for ; Thu, 13 Jan 2005 22:33:14 +0000 (GMT) (envelope-from security@revolutionsp.com) Received: from mail.revolutionsp.com (localhost [127.0.0.1]) by mail.revolutionsp.com (Postfix) with ESMTP id 12E8415C95 for ; Thu, 13 Jan 2005 13:28:10 -0600 (CST) Received: from 81.84.175.77 (SquirrelMail authenticated user security@revolutionsp.com); by mail.revolutionsp.com with HTTP; Thu, 13 Jan 2005 13:28:10 -0600 (CST) Message-ID: <53197.81.84.175.77.1105644490.squirrel@81.84.175.77> Date: Thu, 13 Jan 2005 13:28:10 -0600 (CST) From: security@revolutionsp.com To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Two feature suggestions for pf.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Jan 2005 22:33:14 -0000 Hi, I hope this is the right place to discuss this.. I've had a couple of features that I think would fit nicely in pf, but only now I'm sending this email.. First of all, I believe pf is the best firewall around, I've been using it since there was a port available to FreeBSD :-). Also, sorry if this was previously discussed as I did not check the archives. Here are my two proposed features for pf: 1) Add the username of the blocked packet to the pf log. Currently, it's hard to trace an outgoing blocked packet to a username unless you're watching real-time. For example: 2005-01-11 03:03:40.777286 rule 92/0(match): block out on em0: IP xxx.xxx.xxx.xxx.59167 > zzz.zzz.zzz.zzz.6667: FP 0:24(24) ack 1 win 32832 I think the username that triggered the rule would fit really nicely and would be really handy.. like this: 2005-01-11 03:03:40.777286 rule 92/0(match): block out on em0: IP xxx.xxx.xxx.xxx.59167 > zzz.zzz.zzz.zzz.6667: FP 0:24(24) ack 1 win 32832 user UserName This would greatly reduce the time needed to find someone abusing the firewall from inside the system, for example trying to portscan someone and most of the packets hitting the firewall.. This shouldn't be too hard to implement. 2) Different blocked traffic goes to different logfiles My other idea is based on the following concept.. Normally your server sits there, serving requests etc, blocks some scans on the firewall, random bruteforce attacks, and so on. But, if unfornately your server is a target of a DDoS attack, then all the attack log will be with the rest of the junk your server receives. Altough not impossible, filtering the log to obtain only the DDoS attack log for analysis still takes it's time. My suggestion is: Why not allow a directive on pf.conf that let's you specify to which logfile that rule should be logged to ? Using this model, you could set up some rules aimed at blocking traffic, but then the logging will be on it's own, private, separate file. You could set up several rules you know will never be matched unless there is an attempt to attack the server (etc), and, when matched, they'll be easily available on a (possibly) small logfile, instead of the geral, big big log. This also helps a lot tracking failed attack attempts, each on it's own log.. thus cutting down the time one needs to find any blocked packets in the logs: You always know it will be in file A,B,C.. Again, if these have already been discussed in the past, I'm sorry. If not, please give some feedback.