Michael Grimm
2016-Oct-13 18:32 UTC
FreeBSD 11 : running blacklistd needed for 520.pfdenied?
Hi - On 15.08.2016, at 19:01, Michael Grimm <trashcan at ellael.org> wrote:> I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am missing those parts in my daily security report regarding pf, e.g.: > > example.private pf denied packets: > +block drop in on ix0 all [ Evaluations: 12757684 Packets: 133590 Bytes: 7477681 States: 0 ] > +block drop in log quick on ix0 from <blacklisted> to any [ Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ] > +block drop quick on ix0 from any to <rfc1918> [ Evaluations: 790740 Packets: 873 Bytes: 295032 States: 0 ] > > I do believe that those lines should be generated by /etc/periodic/security/520.pfdenied (stripped to the relevant part): > > TMP=`mktemp -t security` > touch ${TMP} > for _a in "" blacklistd > do > pfctl -a ${_a} -sr -v -z 2>/dev/null | \ > nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} > doneWell, one needs to add the "old" functionality of 10.3-STABLE's /etc/periodic/security/520.pfdenied to get those lines reappear again. The new script in 11-STABLE (and presumably 11-RELEASE) assumes a running blacklistd which isn't necessarily the case in every installation running pf firewalls. Patch: ++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNIP ++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- 520.pfdenied 2016-08-15 18:59:11.532831000 +0200 +++ 520.pfdenied.new 2016-10-13 20:03:28.891362000 +0200 @@ -50,6 +50,8 @@ pfctl -a ${_a} -sr -v -z 2>/dev/null | \ nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} done + pfctl -sr -v 2>/dev/null | \ + nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} if [ -s ${TMP} ]; then check_diff new_only pf ${TMP} "${host} pf denied packets:" fi ++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNAP ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Regards, Michael