From owner-freebsd-hackers@FreeBSD.ORG Mon Sep 8 20:04:01 2008 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA0F4106566C; Mon, 8 Sep 2008 20:04:01 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (prime.gushi.org [72.9.101.130]) by mx1.freebsd.org (Postfix) with ESMTP id 02C0C8FC0A; Mon, 8 Sep 2008 20:04:00 +0000 (UTC) (envelope-from danm@prime.gushi.org) Received: from prime.gushi.org (localhost [127.0.0.1]) by prime.gushi.org (8.14.1/8.14.1) with ESMTP id m88K3VXK010707 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 8 Sep 2008 16:03:40 -0400 (EDT) (envelope-from danm@prime.gushi.org) X-DKIM: Sendmail DKIM Filter v2.7.2 prime.gushi.org m88K3VXK010707 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=prime.gushi.org; s=primegushiorg; t=1220886765; bh=6m3esLtDj8Vobpe0WsCx6ze73I62g+3j4 m/sgkuM+O8=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID: References:MIME-Version:Content-Type; b=JhFPpDAuyjkypM6yVUXiW18bP/ E2GOUZvVSvL1jZT3WTOd2mxCWiKSynHcPf0mm0/NHUFBYRM7QC9a9eNHKb+A== X-DomainKeys: Sendmail DomainKeys Filter v1.0.0 prime.gushi.org m88K3VXK010707 DomainKey-Signature: a=rsa-sha1; s=primegushiorg; d=prime.gushi.org; c=nofws; q=dns; h=received:date:from:to:cc:subject:in-reply-to:message-id: references:user-agent:mime-version:content-type; b=SMLhxfT5E36iNipxb69A5FyBhtA9fET+JaqSPRRDrr0KXdMYqyVIxutuKI2JxkboC BGzc6LzsSd91MIb3izRYw== Received: (from danm@localhost) by prime.gushi.org (8.14.1/8.13.8/Submit) id m88K3TbV010683; Mon, 8 Sep 2008 16:03:29 -0400 (EDT) (envelope-from danm) Date: Mon, 8 Sep 2008 16:03:29 -0400 (EDT) From: "Dan Mahoney, System Admin" To: Dan Nelson In-Reply-To: <20080908185106.GB6629@dan.emsphone.com> Message-ID: References: <20080908185106.GB6629@dan.emsphone.com> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (prime.gushi.org [127.0.0.1]); Mon, 08 Sep 2008 15:12:45 +0000 (UTC) X-Mailman-Approved-At: Mon, 08 Sep 2008 20:17:00 +0000 Cc: hackers@freebsd.org, questions@freebsd.org Subject: Re: IPFW uid logging... X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2008 20:04:01 -0000 On Mon, 8 Sep 2008, Dan Nelson wrote: > In the last episode (Sep 08), Dan Mahoney, System Admin said: >> I have the following rule set up in ipfw to limit the exposure of bad >> php scripts and trojans that try to send mail directly. >> >> allow tcp from any to any dst-port 25 uid root >> deny log tcp from any to any dst-port 25 out >> >> However, the log messages I get look like this: >> >> Sep 8 13:21:11 prime kernel: ipfw: 610 Deny TCP 72.9.101.130:58117 209.85.133.114:25 out via em0 >> Sep 8 13:21:16 prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672 202.12.31.144:25 out via em0 >> >> Which is to say, they don't include the UID -- and I have several hundred >> sites, each with its own UID. >> >> Yes, I could go ahead and set up a thousand "deny" rules, one for >> each UID -- but being able to log this info (since it IS being >> checked) would be great. > > It should be possible to add a couple more arguments to ipfw_log() so > that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the > fw_ugid_cache struct. Then you can edit ipfw_log to print the contents > of that struct if ugid_lookup==1. That would result in the logging of > uid for any failed packet that had to go through a uid check on the way > to the deny rule. Okay, so if it's fairly easy to do, the question would be "since I don't feel right hacking in this change myself -- how could I propose this as a feature?" It's not a BUG per-se, but I think it could be useful to others as well. -Dan -- Pika Pika Pika! -Pikachu, of Pokemon fame. --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---------------------------