From owner-freebsd-current@freebsd.org Wed Jan 10 21:23:02 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9EAFBE77C88 for ; Wed, 10 Jan 2018 21:23:02 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 680AE6D753 for ; Wed, 10 Jan 2018 21:23:01 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smtp.greenhost.nl ([213.108.110.112]) by smarthost1.greenhost.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1eZNpj-0003D7-Uh; Wed, 10 Jan 2018 22:22:53 +0100 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: "Chris H" Cc: "FreeBSD Current" Subject: Re: status-mail-rejects: appears to be broken References: Date: Wed, 10 Jan 2018 22:22:15 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.16 (FreeBSD) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: / X-Spam-Score: -0.2 X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED, BAYES_50 autolearn=disabled version=3.4.0 X-Scan-Signature: 10fb2eeb1e6a32429c7ce102d6ec6cdf X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jan 2018 21:23:02 -0000 On Mon, 08 Jan 2018 01:52:03 +0100, Chris H wrote: > On Sun, 07 Jan 2018 14:13:01 +0100 "Ronald Klop" > said > >> On Sun, 17 Dec 2017 20:50:23 +0100, Chris H >> wrote: >> > I'm running on r326056, and periodic(8) doesn't seem to be working >> > as expected; >> > mail rejects: >> > >> > Checking for rejected mail hosts: >> > usage: fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host] >> > [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file] >> > [-i file] [--key=file] [-N file] [--no-passive] >> [--no-proxy=list] >> > [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] > >> [--no-verify-peer] >> > [-o file] [--referer=URL] [-S bytes] [-T seconds] >> > [--user-agent=agent-string] [-w seconds] URL ... >> > fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host] >> > [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file] >> > [-i file] [--key=file] [-N file] [--no-passive] >> [--no-proxy=list] >> > [--no-sslv3] [--no-tlsv1] [--no-verify-hostname] > >> [--no-verify-peer] >> > [-o file] [--referer=URL] [-S bytes] [-T seconds] >> > [--user-agent=agent-string] [-w seconds] -h host -f file [-c >> dir] >> > >> > Also, 520.pfdenied doesn't produce any output. In fact, it doesn't >> appear >> > to be run at all. >> > >> > Any thoughts, or advice on how to best proceed? >> > >> > Thanks! >> > >> > --Chris >> This looks the same as what I experienced. It will be fixed by >> upgrading until at least this commit: >> http://www.secnetix.de/olli/FreeBSD/svnews/index.py?r=326343 > It appears that you indicate anything past, or including r326343 > resolves this Indeed. That resolves the error about 'fetch'. Which came from the ntpd leaptime file update periodic script in my case. > I'll look into it. > But FWIW I was able to get etc/periodic/security/520.pfdenied output > working > with the following diff(1): I don't use pf, so I can't comment on this. I hope somebody else can, but I guess it will attract more eyes if you repost with a subject about 520.pfdenied or something similar. Regards, Ronald. > --- /etc/periodic/security/520.pfdenied.orig 2017-11-21 > 06:57:04.000000000 -0800 > +++ /etc/periodic/security/520.pfdenied 2017-03-29 16:22:50.000000000 > -0700 > @@ -24,7 +24,7 @@ > # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > # SUCH DAMAGE. > # > -# $FreeBSD: head/etc/periodic/security/520.pfdenied 306696 2016-10-04 > 23:12:35Z lidl $ > +# $FreeBSD: head/etc/periodic/security/520.pfdenied 290405 2015-11-05 > 17:37:14Z lidl $ > # > # If there is a global system configuration file, suck it in. > @@ -44,13 +44,8 @@ > if check_yesno_period security_status_pfdenied_enable > then > TMP=`mktemp -t security` > - for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null) > - do > - pfctl -a ${_a} -sr -v -z 2>/dev/null | \ > - nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) > print buf$0;} }' >> ${TMP} > - done > - if [ -s ${TMP} ]; then > - check_diff new_only pf ${TMP} "${host} pf denied packets:" > + if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; > gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then > + check_diff new_only pf ${TMP} "${host} pf denied packets:" > fi > rc=$? > rm -f ${TMP} > > Thanks for taking the time to reply, Ronald! >> Ronald. >> > --Chris >