FreeBSD 11 : running blacklistd needed for 520.pfdenied?
Michael Grimm
trashcan at ellael.org
Mon Aug 15 17:01:44 UTC 2016
Hi —
I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am missing those parts in my daily security report regarding pf, e.g.:
example.private pf denied packets:
+block drop in on ix0 all [ Evaluations: 12757684 Packets: 133590 Bytes: 7477681 States: 0 ]
+block drop in log quick on ix0 from <blacklisted> to any [ Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
+block drop quick on ix0 from any to <rfc1918> [ Evaluations: 790740 Packets: 873 Bytes: 295032 States: 0 ]
I do believe that those lines should be generated by /etc/periodic/security/520.pfdenied (stripped to the relevant part):
TMP=`mktemp -t security`
touch ${TMP}
for _a in "" blacklistd
do
pfctl -a ${_a} -sr -v -z 2>/dev/null | \
nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
done
JFTR: This script *is* running daily (double-checked by entering debugging code).
Questions:
"blacklistd" in google found: https://reviews.freebsd.org/D5913
Does that mean that I do need to run the blacklistd daemon if I do want to re-activate 520.pfdenied reports?
If I am on the wrong track, where should I look instead?
Thanks in advance and regards,
Michael
More information about the freebsd-questions
mailing list