FreeBSD 11 : running blacklistd needed for 520.pfdenied?

Michael Grimm trashcan at ellael.org
Thu Oct 13 18:32:05 UTC 2016


Hi -

On 15.08.2016, at 19:01, Michael Grimm <trashcan at ellael.org> wrote:

> I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am missing those parts in my daily security report regarding pf, e.g.:
> 
> 	example.private pf denied packets:
> 	+block drop in on ix0 all [ Evaluations: 12757684 Packets: 133590 Bytes: 7477681 States: 0 ]
> 	+block drop in log quick on ix0 from <blacklisted> to any [ Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
> 	+block drop quick on ix0 from any to <rfc1918> [ Evaluations: 790740 Packets: 873 Bytes: 295032 States: 0 ]
> 
> I do believe that those lines should be generated by /etc/periodic/security/520.pfdenied (stripped to the relevant part):
> 
> 	TMP=`mktemp -t security` 
> 	touch ${TMP} 
> 	for _a in "" blacklistd 
> 	do 
> 		pfctl -a ${_a} -sr -v -z 2>/dev/null | \ 
> 		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} 
> 	done 

Well, one needs to add the "old" functionality of 10.3-STABLE's /etc/periodic/security/520.pfdenied to get those lines reappear again. The new script in 11-STABLE (and presumably 11-RELEASE) assumes a running blacklistd which isn't necessarily the case in every installation running pf firewalls.

Patch:
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNIP ++++++++++++++++++++++++++++++++++++++++++++++++++++++
--- 520.pfdenied	2016-08-15 18:59:11.532831000 +0200
+++ 520.pfdenied.new	2016-10-13 20:03:28.891362000 +0200
@@ -50,6 +50,8 @@
 		pfctl -a ${_a} -sr -v -z 2>/dev/null | \
 		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
 	done
+	pfctl -sr -v 2>/dev/null | \
+	nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}
 	if [ -s ${TMP} ]; then
 		check_diff new_only pf ${TMP} "${host} pf denied packets:"
 	fi
++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNAP ++++++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Michael



More information about the freebsd-questions mailing list