Date: Mon, 15 Aug 2016 19:01:39 +0200 From: Michael Grimm <trashcan@ellael.org> To: freebsd-questions@freebsd.org Subject: FreeBSD 11 : running blacklistd needed for 520.pfdenied? Message-ID: <EB01CDFF-8015-4117-AA2F-90D870DE5522@ellael.org>
next in thread | raw e-mail | index | archive | help
Hi =E2=80=94
I recently upgraded from 10.3-STABLE to 11.0-PRERELEASE. Now, I am =
missing those parts in my daily security report regarding pf, e.g.:
example.private pf denied packets:
+block drop in on ix0 all [ Evaluations: 12757684 Packets: =
133590 Bytes: 7477681 States: 0 ]
+block drop in log quick on ix0 from <blacklisted> to any [ =
Evaluations: 12754165 Packets: 3753 Bytes: 269612 States: 0 ]
+block drop quick on ix0 from any to <rfc1918> [ Evaluations: =
790740 Packets: 873 Bytes: 295032 States: 0 ]
I do believe that those lines should be generated by =
/etc/periodic/security/520.pfdenied (stripped to the relevant part):
TMP=3D`mktemp -t security`=20
touch ${TMP}=20
for _a in "" blacklistd=20
do=20
pfctl -a ${_a} -sr -v -z 2>/dev/null | \=20
nawk '{if (/^block/) {buf=3D$0; getline; gsub(" +"," =
",$0); if ($5 > 0) print buf$0;} }' >> ${TMP}=20
done=20
JFTR: This script *is* running daily (double-checked by entering =
debugging code).
Questions:=20
"blacklistd" in google found: https://reviews.freebsd.org/D5913
Does that mean that I do need to run the blacklistd daemon if I =
do want to re-activate 520.pfdenied reports?
If I am on the wrong track, where should I look instead?
=09
Thanks in advance and regards,
Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB01CDFF-8015-4117-AA2F-90D870DE5522>