Date: Fri, 14 Dec 2001 10:36:54 +0900 (JST)
From: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
Subject: bin/32822: /etc/periodic/security/[56]50.ip{,6}fwlimit error
Message-ID: <200112140136.fBE1ass24033@boggy.acest.tutrp.tut.ac.jp>
next in thread | raw e-mail | index | archive | help
>Number: 32822
>Category: bin
>Synopsis: /etc/periodic/security/[56]50.ip{,6}fwlimit error
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 13 17:40:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: NAKAJI Hiroyuki
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD boggy.acest.tutrp.tut.ac.jp 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Mon Dec 10 17:06:01 JST 2001 root@boggy.acest.tutrp.tut.ac.jp:/usr/obj/usr/src/sys/NAKAJI i386
>Description:
In daily mails from root, I see
Checking for passwordless accounts:
[: : out of range
[: : out of range
And checked the scripts in /etc/periodic/security to find which
one says 'out of range'. They are 550.ipfwlimit and
650.ip6fwlimit.
They use the variable ${IPFW_LOG_LIMIT} or ${IP6FW_LOG_LIMIT} and
compare it with 0. But on my current system, the variables are
both null strings because kernel does not have
"options IPFIREWALL" nor "options IPV6FIREWALL",
so that the 'test' fail.
>How-To-Repeat:
/bin/sh -x /etc/periodic/550.ipfwlimit
[snip]
+ sysctl -n net.inet.ip.fw.verbose_limit
+ IPFW_LOG_LIMIT=
+ [ 1 -eq 0 -a -ne 0 ]
[: : out of range
/bin/sh -x /etc/periodic/650.ip6fwlimit
[snip]
+ sysctl -n net.inet6.ip6.fw.verbose_limit
+ IP6FW_LOG_LIMIT=
+ [ 1 -eq 0 -a -ne 0 ]
[: : out of range
>Fix:
If you don't have net.inet.ip.fw.verbose_limit or
net.inet6.ip6.fw.verbose_limit, the variables ${IPFW_LOG_LIMIT}
and ${IP6FW_LOG_LIMIT} should be 0.
Here is a diff.
Index: 550.ipfwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/550.ipfwlimit,v
retrieving revision 1.1
diff -u -r1.1 550.ipfwlimit
--- 550.ipfwlimit 7 Dec 2001 23:57:38 -0000 1.1
+++ 550.ipfwlimit 14 Dec 2001 01:27:40 -0000
@@ -44,6 +44,7 @@
case "$daily_status_security_ipfwlimit_enable" in
[Yy][Ee][Ss])
IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
+ test -z "${IPFW_LOG_LIMIT}" && IPFW_LOG_LIMIT=0
if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
ipfw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
Index: 650.ip6fwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/650.ip6fwlimit,v
retrieving revision 1.1
diff -u -r1.1 650.ip6fwlimit
--- 650.ip6fwlimit 7 Dec 2001 23:57:38 -0000 1.1
+++ 650.ip6fwlimit 14 Dec 2001 01:27:59 -0000
@@ -44,6 +44,7 @@
case "$daily_status_security_ip6fwlimit_enable" in
[Yy][Ee][Ss])
IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
+ test -z "${IP6FW_LOG_LIMIT}" && IP6FW_LOG_LIMIT=0
if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
ip6fw -a l | grep " log " | perl -n -e \
'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200112140136.fBE1ass24033>