From owner-freebsd-questions@freebsd.org  Mon Aug 15 17:01:44 2016
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 52652BBBD16
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 15 Aug 2016 17:01:44 +0000 (UTC)
 (envelope-from trashcan@ellael.org)
Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net
 [IPv6:2001:41d0:1008:bcb:1:1:0:1])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 22AFC1B04
 for <freebsd-questions@freebsd.org>; Mon, 15 Aug 2016 17:01:44 +0000 (UTC)
 (envelope-from trashcan@ellael.org)
Received: from [IPv6:2003:8c:2e05:e01:acf0:2b3d:66f3:87d4]
 (p2003008C2E050E01ACF02B3D66F387D4.dip0.t-ipconnect.de
 [IPv6:2003:8c:2e05:e01:acf0:2b3d:66f3:87d4])
 by mx1.enfer-du-nord.net (Postfix) with ESMTPSA id 3sChbp3jkFz8Yc
 for <freebsd-questions@freebsd.org>; Mon, 15 Aug 2016 19:01:42 +0200 (CEST)
From: Michael Grimm <trashcan@ellael.org>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Subject: FreeBSD 11 : running blacklistd needed for 520.pfdenied?
Message-Id: <EB01CDFF-8015-4117-AA2F-90D870DE5522@ellael.org>
Date: Mon, 15 Aug 2016 19:01:39 +0200
To: freebsd-questions@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
X-Mailer: Apple Mail (2.3124)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 17:01:44 -0000

Hi =E2=80=94

I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am =
missing those parts in my daily security report regarding pf, e.g.:

	example.private pf denied packets:
	+block drop in on ix0 all [ Evaluations: 12757684 Packets: =
133590 Bytes: 7477681 States: 0 ]
	+block drop in log quick on ix0 from <blacklisted> to any [ =
Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
	+block drop quick on ix0 from any to <rfc1918> [ Evaluations: =
790740 Packets: 873 Bytes: 295032 States: 0 ]

I do believe that those lines should be generated by =
/etc/periodic/security/520.pfdenied (stripped to the relevant part):

	TMP=3D`mktemp -t security`=20
	touch ${TMP}=20
	for _a in "" blacklistd=20
	do=20
		pfctl -a ${_a} -sr -v -z 2>/dev/null | \=20
		nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," =
",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}=20
	done=20

JFTR: This script *is* running daily (double-checked by entering =
debugging code).


Questions:=20

	"blacklistd" in google found: https://reviews.freebsd.org/D5913
	Does that mean that I do need to run the blacklistd daemon if I =
do want to re-activate 520.pfdenied reports?
	If I am on the wrong track, where should I look instead?
=09

Thanks in advance and regards,
Michael