IPFW uid logging...

Daan Vreeken Daan at vehosting.nl
Tue Sep 9 07:58:52 UTC 2008


On Tuesday 09 September 2008 06:50:37 Dan Nelson wrote:
> In the last episode (Sep 09), Daan Vreeken said:
> > On Monday 08 September 2008 22:03:29 Dan Mahoney, System Admin wrote:
> > > On Mon, 8 Sep 2008, Dan Nelson wrote:
> > > > In the last episode (Sep 08), Dan Mahoney, System Admin said:
> > > >> I have the following rule set up in ipfw to limit the exposure
> > > >> of bad php scripts and trojans that try to send mail directly.
> > > >>
> > > >> allow tcp from any to any dst-port 25 uid root
> > > >> deny log tcp from any to any dst-port 25 out
> > > >>
> > > >> However, the log messages I get look like this:
> > > >>
> > > >> Sep  8 13:21:11 <security.info> prime kernel: ipfw: 610 Deny TCP
> > > >> 72.9.101.130:58117 209.85.133.114:25 out via em0 Sep  8 13:21:16
> > > >> <security.info> prime kernel: ipfw: 610 Deny TCP 72.9.101.130:56672
> > > >> 202.12.31.144:25 out via em0
> > > >>
> > > >> Which is to say, they don't include the UID -- and I have
> > > >> several hundred sites, each with its own UID.
> > > >>
> > > >> Yes, I could go ahead and set up a thousand "deny" rules, one
> > > >> for each UID -- but being able to log this info (since it IS
> > > >> being checked) would be great.
> > > >
> > > > It should be possible to add a couple more arguments to
> > > > ipfw_log() so that ipfw_chk() can pass it the ugid_lookup flag
> > > > and a pointer to the fw_ugid_cache struct.  Then you can edit
> > > > ipfw_log to print the contents of that struct if ugid_lookup==1.
> > > > That would result in the logging of uid for any failed packet
> > > > that had to go through a uid check on the way to the deny rule.
> > >
> > > Okay, so if it's fairly easy to do, the question would be "since I
> > > don't feel right hacking in this change myself -- how could I
> > > propose this as a feature?" It's not a BUG per-se, but I think it
> > > could be useful to others as well.
> >
> > Hi Dan, Dan and the list,
> >
> > I own a webhosting company and here too every domain gets it's own
> > user, so I like this proposal. I've hacked together a first try,
> > which seems to be working. A patch (against -HEAD) can be found here:
> >
> > http://vehosting.nl/pub_diffs/ip_fw2.c_uid_2008_09_09.diff
> >
> > Improvements / tips / comments are welcome ;-)
>
> I like it.  Maybe print gid as well, since there's an ipfw rule for
> that too.

I intentionally left printing the gid out, since a user can be in up to 
NGROUPS_MAX groups.
We could of course only show the one gid that matched...
The following (only compile-tested) patch tries to implement that :

http://vehosting.nl/pub_diffs/ip_fw2.c_uid_2008_09_09_2.diff

I'm not really sure which patch I liked best. The first patch missed a check 
against (ugid_lookup == -1) though.

-- 
Daan Vreeken
VEHosting
http://VEHosting.nl
tel: +31-(0)40-7113050 / +31-(0)6-46210825
KvK nr: 17174380


More information about the freebsd-hackers mailing list