From: John Lange <john.lange@bighostbox.com>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-develop <netfilter-devel@lists.netfilter.org>
Subject: Re: --log-uid target?
Date: Wed, 03 Nov 2004 20:31:57 -0600 [thread overview]
Message-ID: <1099535517.26577.586.camel@ws102.darkcore.net> (raw)
In-Reply-To: <41898F60.8080004@trash.net>
Actually, Martin supplied me with the old patch from 2002 which I
modified to work with 2.6.9 and I sent them back to him for review.
I have been using it on 2 production systems since The weekend and so
far everything seems good.
There is one problem though, though I have this line in my firewall
script:
/usr/local/sbin/iptables -A OUTPUT -p tcp --dport 25 -j LOG --log-prefix
"SMTP " --log-uid
A great deal of packets are being logged with NO UID as follows:
Nov 3 20:16:50 venus kernel: SMTP IN= OUT=eth0 SRC=209.xxx.xxx.xxx
DST=203.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8368 DF
PROTO=TCP SPT=39737 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
The target does in fact work at least some of the time because there are
also plenty of packets logged like this:
Nov 3 20:25:45 venus kernel: SMTP IN= OUT=eth0 SRC=209.xxx.xxx.xxx
DST=64..xxx.xxx.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=7784 DF
PROTO=TCP SPT=39780 DPT=25 WINDOW=1460 RES=0x00 ACK URGP=0 UID=500
UID=500 is what i expect since thats my SMTP server uid.
Under what situations could an outgoing packet be logged without a UID?
Something must own this packet?
The reason I need this patch is because I'm concerned someone might be
operating a spam relay on their account but I have no way of figuring
out who. I was hoping this would help me track it down.
Regards,
--
John Lange
On Wed, 2004-11-03 at 20:09, Patrick McHardy wrote:
> John Lange wrote:
>
> >Way back in the archives from 2002 I see a patch to add support for
> >logging of the userid.
> >
> >Searching high and low and can't find any other reference to this
> >feature and it does not appear to be in the current iptables or
> >patch-o-matic downloads.
> >
> >Did this ever get implemented? How do you use it?
> >
> Just Martin's patch from 2002.
>
> >
> >I tried -j LOG --log-uid but it gives an error.
> >
> >I'm blocking out-bound packets to port 25 to prevent local users from
> >spamming. However, I'd like to who it is that is attempting to spam and
> >also be able to watch the logs to make sure legitimate processes are
> >able to send mail.
> >
> Sounds like a useful addition. Martin, any reason why this patch was
> never merged ?
>
> Regards
> Patrick
next prev parent reply other threads:[~2004-11-04 2:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-30 4:07 --log-uid target? John Lange
2004-11-04 2:09 ` Patrick McHardy
2004-11-04 2:31 ` John Lange [this message]
2004-11-04 3:30 ` Patrick McHardy
2004-11-04 5:18 ` John Lange
2004-11-04 11:20 ` Henrik Nordstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1099535517.26577.586.camel@ws102.darkcore.net \
--to=john.lange@bighostbox.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.