On Mon, Jan 01, 2001 at 05:24:09PM -0600, Bill Fumerola wrote:
>> Are people actually using uid type rules heavily? I'm having trouble matching
>> the packets generated by programs like Apache and ProFTPD. I believe that may
>> be because of root binding the ports these programs use before they setuid() or
>> something, I'm not sure. Particularly I have trouble matching the packets of
>> active FTP, since I have random ports on both ends to deal with and can't match
>> them by port either. Does anyone have a solution to this?
> sockstat is your friend, look at the 'user' that is defined per program,
> thats who is going to be charged for packets on that socket.
Nope, doesn't seem to work. Sockstat says:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
ftp proftpd 75182 0 tcp4 10.0.0.8:21 192.168.0.34:4955
ftp proftpd 75182 1 tcp4 10.0.0.8:21 192.168.0.34:4955
ftp proftpd 75182 12 tcp4 10.0.0.8:478 192.168.0.34:4959
ftp proftpd 75182 13 tcp4 10.0.0.8:478 192.168.0.34:4959
nobody proftpd 68820 0 tcp4 *:21 *:*
Then I add a rule to see if I can count the packets while the above mentioned
session is kept alive:
# ipfw add 00010 count all from any to any uid ftp
And ipfw show shows that the rule doesn't intercept any packets:
00010 0 0 count ip from any to any uid ftp
FYI I am running 4.1.1-STABLE as of Tue Oct 24 01:25:55 CEST 2000, and top(1)
shows all proftpd processes as being owned by root.
Regards,
--
Anders.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
