Date: Thu, 13 Oct 2016 20:32:02 +0200 From: Michael Grimm <trashcan@ellael.org> To: freebsd-questions@freebsd.org, freebsd-stable@freebsd.org Subject: Re: FreeBSD 11 : running blacklistd needed for 520.pfdenied? Message-ID: <3EF5E845-A3D9-4802-B9DD-A788CB09197C@ellael.org> In-Reply-To: <EB01CDFF-8015-4117-AA2F-90D870DE5522@ellael.org> References: <EB01CDFF-8015-4117-AA2F-90D870DE5522@ellael.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi -
On 15.08.2016, at 19:01, Michael Grimm <trashcan@ellael.org> wrote:
> I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am =
missing those parts in my daily security report regarding pf, e.g.:
>=20
> example.private pf denied packets:
> +block drop in on ix0 all [ Evaluations: 12757684 Packets: =
133590 Bytes: 7477681 States: 0 ]
> +block drop in log quick on ix0 from <blacklisted> to any [ =
Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
> +block drop quick on ix0 from any to <rfc1918> [ Evaluations: =
790740 Packets: 873 Bytes: 295032 States: 0 ]
>=20
> I do believe that those lines should be generated by =
/etc/periodic/security/520.pfdenied (stripped to the relevant part):
>=20
> TMP=3D`mktemp -t security`=20
> touch ${TMP}=20
> for _a in "" blacklistd=20
> do=20
> pfctl -a ${_a} -sr -v -z 2>/dev/null | \=20
> nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," =
",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}=20
> done=20
Well, one needs to add the "old" functionality of 10.3-STABLE's =
/etc/periodic/security/520.pfdenied to get those lines reappear again. =
The new script in 11-STABLE (and presumably 11-RELEASE) assumes a =
running blacklistd which isn't necessarily the case in every =
installation running pf firewalls.
Patch:
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNIP =
++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- 520.pfdenied 2016-08-15 18:59:11.532831000 +0200
+++ 520.pfdenied.new 2016-10-13 20:03:28.891362000 +0200
@@ -50,6 +50,8 @@
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," =
",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
done
+ pfctl -sr -v 2>/dev/null | \
+ nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," ",$0); if =
($5 > 0) print buf$0;} }' >> ${TMP}
if [ -s ${TMP} ]; then
check_diff new_only pf ${TMP} "${host} pf denied =
packets:"
fi
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNAP =
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Regards,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EF5E845-A3D9-4802-B9DD-A788CB09197C>