misc/126060: IPFW limit checking in nightly security scripts
slightly botched
Ronald F.Guilmette
rfg at tristatelogic.com
Tue Jul 29 01:30:07 UTC 2008
>Number: 126060
>Category: misc
>Synopsis: IPFW limit checking in nightly security scripts slightly botched
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jul 29 01:30:06 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Ronald F. Guilmette
>Release: FreeBSD 6.3-RELEASE i386
>Organization:
Infinite Monkeys & Co. LLC
>Environment:
System: FreeBSD xxxxxxx.tristatelogic.com 6.3-RELEASE
>Description:
The following two scripts fail to correctly interpret sysctl IPFW
logging limits of "0" (i.e. "no limit") for IPv4 and IPv6 respectively:
/etc/periodic/security/550.ipfwlimit
/etc/periodic/security/650.ip6fwlimit
>How-To-Repeat:
Run the scripts noted above, or just wait for them to run automagically
at 3AM.
>Fix:
Trivial/obvious patches included below. *** WARNING *** Somebody
please check these for correct awk syntax. I don't do very much awk,
so I may have botched the fixes here. But I think I got them right.
*** etc/periodic/security/550.ipfwlimit- Tue Jan 15 16:33:31 2008
--- etc/periodic/security/550.ipfwlimit Mon Jul 28 18:04:08 2008
***************
*** 55,59 ****
{print $0}
} else {
! if ($2 > limit)
{print $0}}
}' > ${TMP}
--- 55,59 ----
{print $0}
} else {
! if ($2 > limit && limit != 0)
{print $0}}
}' > ${TMP}
*** etc/periodic/security/650.ip6fwlimit- Tue Jan 15 16:33:31 2008
--- etc/periodic/security/650.ip6fwlimit Mon Jul 28 18:07:26 2008
***************
*** 49,53 ****
grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
awk -v limit="$IPFW_LOG_LIMIT" \
! '{if ($2 > limit) {print $0}}' > ${TMP}
if [ -s "${TMP}" ]; then
rc=1
--- 49,53 ----
grep '^[[:digit:]]\+[[:space:]]\+[[:digit:]]\+' | \
awk -v limit="$IPFW_LOG_LIMIT" \
! '{if ($2 > limit && limit != 0) {print $0}}' > ${TMP}
if [ -s "${TMP}" ]; then
rc=1
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list