Re: FreeBSD 11 : running blacklistd needed for 520.pfdenied?

Thu, 13 Oct 2016 11:32:41 -0700 

Hi -

On 15.08.2016, at 19:01, Michael Grimm <trash...@ellael.org> wrote:

> I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am missing 
> those parts in my daily security report regarding pf, e.g.:
> 
>       example.private pf denied packets:
>       +block drop in on ix0 all [ Evaluations: 12757684 Packets: 133590 
> Bytes: 7477681 States: 0 ]
>       +block drop in log quick on ix0 from <blacklisted> to any [ 
> Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
>       +block drop quick on ix0 from any to <rfc1918> [ Evaluations: 790740 
> Packets: 873 Bytes: 295032 States: 0 ]
> 
> I do believe that those lines should be generated by 
> /etc/periodic/security/520.pfdenied (stripped to the relevant part):
> 
>       TMP=`mktemp -t security` 
>       touch ${TMP} 
>       for _a in "" blacklistd 
>       do 
>               pfctl -a ${_a} -sr -v -z 2>/dev/null | \ 
>               nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if 
> ($5 > 0) print buf$0;} }' >> ${TMP} 
>       done 

Well, one needs to add the "old" functionality of 10.3-STABLE's 
/etc/periodic/security/520.pfdenied to get those lines reappear again. The new 
script in 11-STABLE (and presumably 11-RELEASE) assumes a running blacklistd 
which isn't necessarily the case in every installation running pf firewalls.

Patch:
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNIP 
++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- 520.pfdenied        2016-08-15 18:59:11.532831000 +0200
+++ 520.pfdenied.new    2016-10-13 20:03:28.891362000 +0200
@@ -50,6 +50,8 @@
                pfctl -a ${_a} -sr -v -z 2>/dev/null | \
                nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if 
($5 > 0) print buf$0;} }' >> ${TMP}
        done
+       pfctl -sr -v 2>/dev/null | \
+       nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) 
print buf$0;} }' >> ${TMP}
        if [ -s ${TMP} ]; then
                check_diff new_only pf ${TMP} "${host} pf denied packets:"
        fi
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNAP 
++++++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Michael

_______________________________________________
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to