From owner-freebsd-isp@FreeBSD.ORG Fri Oct 31 11:31:22 2008 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A254A1065673 for ; Fri, 31 Oct 2008 11:31:22 +0000 (UTC) (envelope-from prvs=019048b85c=dennis@deerfieldhosting.com) Received: from mail.plservers.com (mail.plservers.com [72.233.76.98]) by mx1.freebsd.org (Postfix) with ESMTP id 802198FC21 for ; Fri, 31 Oct 2008 11:31:22 +0000 (UTC) (envelope-from prvs=019048b85c=dennis@deerfieldhosting.com) Received: from [69.202.159.5] (helo=main.here) by mail.plservers.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KvrZt-00083h-Lw for freebsd-isp@freebsd.org; Fri, 31 Oct 2008 06:50:06 -0400 Received: from localhost ([127.0.0.1] helo=main.here) by main.here with esmtp (Exim 4.69 (FreeBSD)) (envelope-from ) id 1KvrYs-000Cq8-K0 for freebsd-isp@freebsd.org; Fri, 31 Oct 2008 06:49:02 -0400 Received: from 10.0.0.6 (SquirrelMail authenticated user dennis@deerfieldhosting.com) by main.here with HTTP; Fri, 31 Oct 2008 06:49:02 -0400 (EDT) Message-ID: <59140.10.0.0.6.1225450142.squirrel@main.here> Date: Fri, 31 Oct 2008 06:49:02 -0400 (EDT) From: "Dennis Mathiasen" To: "freebsd-isp@freebsd.org" User-Agent: SquirrelMail/1.4.10a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-ACL-Warn: spam check completed Subject: PF firewall and user logging X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dennis@deerfieldhosting.com List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Oct 2008 11:31:22 -0000 Hi, On a 7.1-PRERELEASE amd64 system using the pf firewall I am attempting to get user logging working with a lines like this: pass out quick on em0 proto tcp from any to port { 80, 443 } queue www block out quick log (user, to pflog0) on em0 proto tcp from any to any port 80 Some outbound connections need to be allowed (like twitter.com, akismet.com, etc.) but most should not be. The problem is that no user information is included in the log. I found posts suggesting that tcpdump -n -e -v -r /var/log/pflog should show userid information, but it doesn't. Nor does -vv or -vvv. Because our customers are frequently lazy about updating php based software their sites occasionally get compromised. While I can eventually locate the problem user, it can take time. Sometimes the criminals who do this stuff are smart about it and only run their scripts sporadically making this very difficult. Has anyone run into this and found a solution? Am I missing something? Thanks! Dennis Mathiasen dennis@deerfieldhosting.com