Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Feb 2005 19:19:28 +0100 (CET)
From:      Matteo Riondato <rionda@gufi.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        keramida@FreeBSD.org
Subject:   conf/77932: pf and ipfw periodic scripts not working 
Message-ID:  <200502221819.j1MIJSqN069957@utenti.gufi.org>
Resent-Message-ID: <200502221820.j1MIKIEn023349@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         77932
>Category:       conf
>Synopsis:       pf and ipfw periodic scripts not working
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 22 18:20:18 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Matteo Riondato
>Release:        FreeBSD 6-CURRENT i386
>Organization:
>Environment:
System: FreeBSD kaiser.sig11.org 6.0-CURRENT FreeBSD 6.0-CURRENT #2: Sun Feb 20 21:19:06 CET 2005     rionda@kaiser.sig11.org:/usr/obj/usr/src/sys/KAISER  i386

>Description:
I think there's a little mistake
in /etc/periodic/security/security.functions:

if check_diff() is called whith "new_only" as its first argument, as it
is in /etc/periodic/security/520.pfdenied (and 500.ipfwdenied), it will
use "grep '^>'" as a filter to grep only the different lines between the
ouput of "pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0;
getline; gsub(" +"," ",$0); print buf$0;} }'" and /var/log/pf.today .

The diff between the output and the file is done with 
diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT
and the filter is "piped" after this command, so we have:

diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT | grep
'^>' 

but daily_status_security_diff_flags is set to "-b -u"
in /etc/defaults/periodic.conf so there aren't lines beginning with ">",
because we are doing an unified diff. The filter then gives no output
and the only output of /etc/periodic/security/520.pfdenied is 

$HOSTNAME pf denied packets:

This can be solved changing $filter from "grep '^>'" to "grep '^+'"
in /etc/periodic/security/security.functions, line 46. 	
I would not change daily_status_security_diff_flags as I remember that 
having unified diff in periodic mails was disscussed and approved in the MLs

>How-To-Repeat:
	
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502221819.j1MIJSqN069957>