On Mon, 8 Sep 2008, Dan Nelson wrote:
In the last episode (Sep 08), Dan Mahoney, System Admin said:
I have the following rule set up in ipfw to limit the exposure of bad
php scripts and trojans that try to send mail directly.
allow tcp from any to any dst-port 25 uid root
deny log tcp from any to any dst-port 25 out
However, the log messages I get look like this:
Sep 8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP
72.9.101.130:58117 209.85.133.114:25 out via em0
Sep 8 13:21:16 <security.info> prime kernel: ipfw: 610 Deny TCP
72.9.101.130:56672 202.12.31.144:25 out via em0
Which is to say, they don't include the UID -- and I have several hundred
sites, each with its own UID.
Yes, I could go ahead and set up a thousand "deny" rules, one for
each UID -- but being able to log this info (since it IS being
checked) would be great.
It should be possible to add a couple more arguments to ipfw_log() so
that ipfw_chk() can pass it the ugid_lookup flag and a pointer to the
fw_ugid_cache struct. Then you can edit ipfw_log to print the contents
of that struct if ugid_lookup==1. That would result in the logging of
uid for any failed packet that had to go through a uid check on the way
to the deny rule.
Okay, so if it's fairly easy to do, the question would be "since I don't
feel right hacking in this change myself -- how could I propose this as a
feature?" It's not a BUG per-se, but I think it could be useful to others
as well.
-Dan
--
Pika Pika Pika!
-Pikachu, of Pokemon fame.
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
