info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: FreeBSD 11 : running blacklistd needed for 520.pfdenied?
4 views
Skip to first unread message
Michael Grimm
Oct 13, 2016, 2:32:36 PM10/13/16
to freebsd-...@freebsd.org, freebsd...@freebsd.org
Hi -
On 15.08.2016, at 19:01, Michael Grimm <tras...@ellael.org> wrote:
> I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am missing those parts in my daily security report regarding pf, e.g.:
>
> example.private pf denied packets:
> +block drop in on ix0 all [ Evaluations: 12757684 Packets: 133590 Bytes: 7477681 States: 0 ]
> +block drop in log quick on ix0 from <blacklisted> to any [ Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
> +block drop quick on ix0 from any to <rfc1918> [ Evaluations: 790740 Packets: 873 Bytes: 295032 States: 0 ]
>
> I do believe that those lines should be generated by /etc/periodic/security/520.pfdenied (stripped to the relevant part):
>
> TMP=`mktemp -t security`
> touch ${TMP}
> for _a in "" blacklistd
> do
> pfctl -a ${_a} -sr -v -z 2>/dev/null | \
> nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
> done
Well, one needs to add the "old" functionality of 10.3-STABLE's /etc/periodic/security/520.pfdenied to get those lines reappear again. The new script in 11-STABLE (and presumably 11-RELEASE) assumes a running blacklistd which isn't necessarily the case in every installation running pf firewalls.
Patch:
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNIP ++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- 520.pfdenied 2016-08-15 18:59:11.532831000 +0200
+++ 520.pfdenied.new 2016-10-13 20:03:28.891362000 +0200
@@ -50,6 +50,8 @@
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
done
+ pfctl -sr -v 2>/dev/null | \
+ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
if [ -s ${TMP} ]; then
check_diff new_only pf ${TMP} "${host} pf denied packets:"
fi
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNAP ++++++++++++++++++++++++++++++++++++++++++++++++++++++
Regards,
Michael
_______________________________________________
freebsd...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"
On 15.08.2016, at 19:01, Michael Grimm <tras...@ellael.org> wrote:
> I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am missing those parts in my daily security report regarding pf, e.g.:
>
> example.private pf denied packets:
> +block drop in on ix0 all [ Evaluations: 12757684 Packets: 133590 Bytes: 7477681 States: 0 ]
> +block drop in log quick on ix0 from <blacklisted> to any [ Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
> +block drop quick on ix0 from any to <rfc1918> [ Evaluations: 790740 Packets: 873 Bytes: 295032 States: 0 ]
>
> I do believe that those lines should be generated by /etc/periodic/security/520.pfdenied (stripped to the relevant part):
>
> TMP=`mktemp -t security`
> touch ${TMP}
> for _a in "" blacklistd
> do
> pfctl -a ${_a} -sr -v -z 2>/dev/null | \
> nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
> done
Well, one needs to add the "old" functionality of 10.3-STABLE's /etc/periodic/security/520.pfdenied to get those lines reappear again. The new script in 11-STABLE (and presumably 11-RELEASE) assumes a running blacklistd which isn't necessarily the case in every installation running pf firewalls.
Patch:
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNIP ++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- 520.pfdenied 2016-08-15 18:59:11.532831000 +0200
+++ 520.pfdenied.new 2016-10-13 20:03:28.891362000 +0200
@@ -50,6 +50,8 @@
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
done
+ pfctl -sr -v 2>/dev/null | \
+ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
if [ -s ${TMP} ]; then
check_diff new_only pf ${TMP} "${host} pf denied packets:"
fi
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNAP ++++++++++++++++++++++++++++++++++++++++++++++++++++++
Regards,
Michael
_______________________________________________
freebsd...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"
0 new messages