From owner-freebsd-questions@freebsd.org Thu Oct 13 18:32:05 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9144EC109F7; Thu, 13 Oct 2016 18:32:05 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from mx2.enfer-du-nord.net (mx2.enfer-du-nord.net [IPv6:2001:41d0:d:3049:1:1:0:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6037DD76; Thu, 13 Oct 2016 18:32:05 +0000 (UTC) (envelope-from trashcan@ellael.org) Received: from [IPv6:2003:8c:2e04:6101:b4e6:a589:6c42:4ad2] (p2003008C2E046101B4E6A5896C424AD2.dip0.t-ipconnect.de [IPv6:2003:8c:2e04:6101:b4e6:a589:6c42:4ad2]) by mx2.enfer-du-nord.net (Postfix) with ESMTPSA id 3svzpq55nlzQ9V; Thu, 13 Oct 2016 20:32:03 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: FreeBSD 11 : running blacklistd needed for 520.pfdenied? From: Michael Grimm In-Reply-To: Date: Thu, 13 Oct 2016 20:32:02 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <3EF5E845-A3D9-4802-B9DD-A788CB09197C@ellael.org> References: To: freebsd-questions@freebsd.org, freebsd-stable@freebsd.org X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2016 18:32:05 -0000 Hi - On 15.08.2016, at 19:01, Michael Grimm wrote: > I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am = missing those parts in my daily security report regarding pf, e.g.: >=20 > example.private pf denied packets: > +block drop in on ix0 all [ Evaluations: 12757684 Packets: = 133590 Bytes: 7477681 States: 0 ] > +block drop in log quick on ix0 from to any [ = Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ] > +block drop quick on ix0 from any to [ Evaluations: = 790740 Packets: 873 Bytes: 295032 States: 0 ] >=20 > I do believe that those lines should be generated by = /etc/periodic/security/520.pfdenied (stripped to the relevant part): >=20 > TMP=3D`mktemp -t security`=20 > touch ${TMP}=20 > for _a in "" blacklistd=20 > do=20 > pfctl -a ${_a} -sr -v -z 2>/dev/null | \=20 > nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," = ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}=20 > done=20 Well, one needs to add the "old" functionality of 10.3-STABLE's = /etc/periodic/security/520.pfdenied to get those lines reappear again. = The new script in 11-STABLE (and presumably 11-RELEASE) assumes a = running blacklistd which isn't necessarily the case in every = installation running pf firewalls. Patch: ++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNIP = ++++++++++++++++++++++++++++++++++++++++++++++++++++++ --- 520.pfdenied 2016-08-15 18:59:11.532831000 +0200 +++ 520.pfdenied.new 2016-10-13 20:03:28.891362000 +0200 @@ -50,6 +50,8 @@ pfctl -a ${_a} -sr -v -z 2>/dev/null | \ nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," = ",$0); if ($5 > 0) print buf$0;} }' >> ${TMP} done + pfctl -sr -v 2>/dev/null | \ + nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," ",$0); if = ($5 > 0) print buf$0;} }' >> ${TMP} if [ -s ${TMP} ]; then check_diff new_only pf ${TMP} "${host} pf denied = packets:" fi ++++++++++++++++++++++++++++++++++++++++++++++++++++++ SNAP = ++++++++++++++++++++++++++++++++++++++++++++++++++++++ Regards, Michael