From owner-freebsd-current@FreeBSD.ORG Tue Feb 22 18:06:16 2005 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFAFF16A4CE for ; Tue, 22 Feb 2005 18:06:16 +0000 (GMT) Received: from carver.gumbysoft.com (carver.gumbysoft.com [66.220.23.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id A99E243D4C for ; Tue, 22 Feb 2005 18:06:16 +0000 (GMT) (envelope-from dwhite@gumbysoft.com) Received: by carver.gumbysoft.com (Postfix, from userid 1000) id 9BFAE72DD8; Tue, 22 Feb 2005 10:06:16 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by carver.gumbysoft.com (Postfix) with ESMTP id 9731472DCB; Tue, 22 Feb 2005 10:06:16 -0800 (PST) Date: Tue, 22 Feb 2005 10:06:16 -0800 (PST) From: Doug White To: Matteo Riondato In-Reply-To: <1109071079.1390.21.camel@kaiser.sig11.org> Message-ID: <20050222095536.E97883@carver.gumbysoft.com> References: <1109071079.1390.21.camel@kaiser.sig11.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-current@freebsd.org Subject: Re: Question about periodic X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Feb 2005 18:06:16 -0000 On Tue, 22 Feb 2005, Matteo Riondato wrote: > Hi folks, > I think there's a little mistake > in /etc/periodic/security/security.functions: > > if check_diff() is called whith "new_only" as its first argument, as it > is in /etc/periodic/security/520.pfdenied (and 500.ipfwdenied), it will > use "grep '^>'" as a filter to grep only the different lines between the > ouput of "pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; > getline; gsub(" +"," ",$0); print buf$0;} }'" and /var/log/pf.today . > > The diff between the output and the file is done with > diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT > and the filter is "piped" after this command, so we have: > > diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT | grep > '^>' > > but daily_status_security_diff_flags is set to "-b -u" > in /etc/defaults/periodic.conf so there aren't lines beginning with ">", > because we are doing an unified diff. The filter then gives no output > and the only output of /etc/periodic/security/520.pfdenied is > > $HOSTNAME pf denied packets: > > This can be solved changing $filter from "grep '^>'" to "grep '^+'" > in /etc/periodic/security/security.functions, line 46. Or take the -u out of the default, which I think is the intended behavior, looking at the commit logs. The daily_status_security_diff_flags option predates the pf scripts by about 3 months so I'm not sure how that got past testing :) Please send-pr this and poke mlaier and keramida about it. -- Doug White | FreeBSD: The Power to Serve dwhite@gumbysoft.com | www.FreeBSD.org