Date: Tue, 22 Feb 2005 19:19:28 +0100 (CET) From: Matteo Riondato <rionda@gufi.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: keramida@FreeBSD.org Subject: conf/77932: pf and ipfw periodic scripts not working Message-ID: <200502221819.j1MIJSqN069957@utenti.gufi.org> Resent-Message-ID: <200502221820.j1MIKIEn023349@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 77932 >Category: conf >Synopsis: pf and ipfw periodic scripts not working >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 22 18:20:18 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Matteo Riondato >Release: FreeBSD 6-CURRENT i386 >Organization: >Environment: System: FreeBSD kaiser.sig11.org 6.0-CURRENT FreeBSD 6.0-CURRENT #2: Sun Feb 20 21:19:06 CET 2005 rionda@kaiser.sig11.org:/usr/obj/usr/src/sys/KAISER i386 >Description: I think there's a little mistake in /etc/periodic/security/security.functions: if check_diff() is called whith "new_only" as its first argument, as it is in /etc/periodic/security/520.pfdenied (and 500.ipfwdenied), it will use "grep '^>'" as a filter to grep only the different lines between the ouput of "pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); print buf$0;} }'" and /var/log/pf.today . The diff between the output and the file is done with diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT and the filter is "piped" after this command, so we have: diff {daily_status_security_diff_flags} /var/log/pf.today $OUTPUT | grep '^>' but daily_status_security_diff_flags is set to "-b -u" in /etc/defaults/periodic.conf so there aren't lines beginning with ">", because we are doing an unified diff. The filter then gives no output and the only output of /etc/periodic/security/520.pfdenied is $HOSTNAME pf denied packets: This can be solved changing $filter from "grep '^>'" to "grep '^+'" in /etc/periodic/security/security.functions, line 46. I would not change daily_status_security_diff_flags as I remember that having unified diff in periodic mails was disscussed and approved in the MLs >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502221819.j1MIJSqN069957>