On Mon, Sep 08, 2008 at 04:03:29PM -0400, Dan Mahoney, System Admin wrote: > On Mon, 8 Sep 2008, Dan Nelson wrote: > >> In the last episode (Sep 08), Dan Mahoney, System Admin said: >>> I have the following rule set up in ipfw to limit the exposure of bad >>> php scripts and trojans that try to send mail directly. >>> >>> allow tcp from any to any dst-port 25 uid root >>> deny log tcp from any to any dst-port 25 out >>> >>> However, the log messages I get look like this: >>> >>> Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP >>> 184.108.40.206:58117 220.127.116.11:25 out via em0 >>> Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP >>> 18.104.22.168:56672 22.214.171.124:25 out via em0 >>> >>> Which is to say, they don't include the UID -- and I have several hundred >>> sites, each with its own UID. >>> >>> Yes, I could go ahead and set up a thousand "deny" rules, one for >>> each UID -- but being able to log this info (since it IS being >>> checked) would be great. >> >> It should be possible to add a couple more arguments to ipfw_log() so >> that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the >> fw_ugid_cache struct. Then you can edit ipfw_log to print the contents >> of that struct if ugid_lookup==1. That would result in the logging of >> uid for any failed packet that had to go through a uid check on the way >> to the deny rule. > > Okay, so if it's fairly easy to do, the question would be "since I don't > feel right hacking in this change myself -- how could I propose this as a > feature?" It's not a BUG per-se, but I think it could be useful to > others as well.
send-pr it. Category=kern, Class=change-request. Reference this thread in the Fix section: http://lists.freebsd.org/pipermail/freebsd-hackers/2008-September/025920.html FWIW, I think it's also a good idea. The output formatting of the log line might need to be adjusted "carefully" though, since any programs which grep on a very strict regex will start failing. I'm inclined to recommend the string ", UID xxx" be appended to the existing string, e.g. Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP 126.96.36.199:58117 188.8.131.52:25 out via em0, UID 6592 -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"