From owner-freebsd-questions@freebsd.org  Sun Nov 29 20:03:11 2015
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 31D7FA3AF5D
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Sun, 29 Nov 2015 20:03:11 +0000 (UTC) (envelope-from terje@elde.net)
Received: from rand.keepquiet.net (keepquiet.net [144.76.43.178])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "keepquiet.net", Issuer "PositiveSSL CA 2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id ED8491A9E
 for <freebsd-questions@freebsd.org>; Sun, 29 Nov 2015 20:03:10 +0000 (UTC)
 (envelope-from terje@elde.net)
Received: from [10.130.11.100] (cm-84.210.87.28.getinternet.no [84.210.87.28])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: terje@elde.net)
 by rand.keepquiet.net (Postfix) with ESMTPSA id CA9351DA;
 Sun, 29 Nov 2015 20:03:01 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Subject: Re: Determine which user started tcp connection
From: Terje Elde <terje@elde.net>
In-Reply-To: <565B1695.6050604@artem.ru>
Date: Sun, 29 Nov 2015 21:03:00 +0100
Cc: freebsd-questions@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <4FF464A5-B344-40D1-89BA-6AFB3DF81A5A@elde.net>
References: <565B1695.6050604@artem.ru>
To: Artem Kuchin <artem@artem.ru>
X-Mailer: Apple Mail (2.3096.5)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2015 20:03:11 -0000


> On 29 Nov 2015, at 16:15, Artem Kuchin <artem@artem.ru> wrote:
>=20
> I have a jail with shared hosting. Many sites are hosted. Each on its =
own user.
> I want to monitor their external connections. I allow external =
connections but want to
> see what's going  on.
> IPFW allowes easily to see all outgoing connection setups from jail, =
but i cannot
> see which user started it.
> I googled and i see that requests to add UID to IPFW log were first in =
2008 but
> i still do not see it in the version 10.
>=20
> So, is there a way to log UID and connection params  (dst ip and port) =
?


pflog can give you that.

It can give you pid as well, and combined with audit-logging, that could =
give you the program that=E2=80=99s causing it, not just the user.

Terje