FreeBSD 11 : running blacklistd needed for 520.pfdenied?

Michael Grimm trashcan at ellael.org
Mon Aug 15 17:01:44 UTC 2016


Hi —

I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am missing those parts in my daily security report regarding pf, e.g.:

	example.private pf denied packets:
	+block drop in on ix0 all [ Evaluations: 12757684 Packets: 133590 Bytes: 7477681 States: 0 ]
	+block drop in log quick on ix0 from <blacklisted> to any [ Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
	+block drop quick on ix0 from any to <rfc1918> [ Evaluations: 790740 Packets: 873 Bytes: 295032 States: 0 ]

I do believe that those lines should be generated by /etc/periodic/security/520.pfdenied (stripped to the relevant part):

	TMP=`mktemp -t security` 
	touch ${TMP} 
	for _a in "" blacklistd 
	do 
		pfctl -a ${_a} -sr -v -z 2>/dev/null | \ 
		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} 
	done 

JFTR: This script *is* running daily (double-checked by entering debugging code).


Questions: 

	"blacklistd" in google found: https://reviews.freebsd.org/D5913
	Does that mean that I do need to run the blacklistd daemon if I do want to re-activate 520.pfdenied reports?
	If I am on the wrong track, where should I look instead?
	

Thanks in advance and regards,
Michael



More information about the freebsd-questions mailing list