On a rather full customer web server, I am trying to track down whose web site script is trying to make outbound network connections when they should not be. In /etc/security/audit_control, I added to the flags line dir:/var/audit flags:lo,aa,-nt minfree:5 to log failed network connection. When I try an make an outbound connection to something that is blocked in pf, it seems to sometimes work. eg. from the command line, if I manually try via telnet 8.8.8.8 25 pf shows 17:03:23.572682 rule 433/0(match): block out on em0: 64.7.x.x.17017 > 8.8.8.8.25: Flags [S], seq 1420411574, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177061484 ecr 0], length 0 and praudit records it as expected including the userid who tried to do it. header,79,11,connect(2),0,Sun Jan 6 17:06:04 2013, + 439 msec,argument,1,0x3,fd,subject,tw,tw,tw,tw,tw,54100,54064,13556,64.7.yy.yy,return,failure : Operation not permitted,4294967295,trailer,79, But if I make a simple php script to try and connect out, again, pflog0 blocks it and logs it, but it does not show up in the audit logs 17:07:46.518501 rule 433/0(match): block out on em0: 64.7.xx.xx.36528 > 8.8.8.8.25: Flags [S], seq 1724105073, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 177324430 ecr 0], length 0 Any idea what I am missing ? This is a RELENG_8 box from this week. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"