From owner-freebsd-bugs  Thu Dec 13 17:40:15 2001
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 8F94537B416
	for <freebsd-bugs@hub.freebsd.org>; Thu, 13 Dec 2001 17:40:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id fBE1e1714761;
	Thu, 13 Dec 2001 17:40:01 -0800 (PST)
	(envelope-from gnats)
Received: from boggy.acest.tutrp.tut.ac.jp (boggy.acest.tutrp.tut.ac.jp [133.15.67.40])
	by hub.freebsd.org (Postfix) with ESMTP id D7B7537B405
	for <freebsd-gnats-submit@freebsd.org>; Thu, 13 Dec 2001 17:37:01 -0800 (PST)
Received: (from root@localhost)
	by boggy.acest.tutrp.tut.ac.jp (8.11.6+3.4W/8.11.6) id fBE1aua24041
	for freebsd-gnats-submit@freebsd.org; Fri, 14 Dec 2001 10:36:56 +0900 (JST)
Received: (from nakaji@localhost)
	by boggy.acest.tutrp.tut.ac.jp (8.11.6+3.4W/8.11.6av) id fBE1ass24033;
	Fri, 14 Dec 2001 10:36:54 +0900 (JST)
Message-Id: <200112140136.fBE1ass24033@boggy.acest.tutrp.tut.ac.jp>
Date: Fri, 14 Dec 2001 10:36:54 +0900 (JST)
From: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
Reply-To: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
To: FreeBSD-gnats-submit@freebsd.org
X-Send-Pr-Version: 3.113
Subject: bin/32822: /etc/periodic/security/[56]50.ip{,6}fwlimit error
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         32822
>Category:       bin
>Synopsis:       /etc/periodic/security/[56]50.ip{,6}fwlimit error
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 13 17:40:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     NAKAJI Hiroyuki
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD boggy.acest.tutrp.tut.ac.jp 5.0-CURRENT FreeBSD 5.0-CURRENT #1: Mon Dec 10 17:06:01 JST 2001 root@boggy.acest.tutrp.tut.ac.jp:/usr/obj/usr/src/sys/NAKAJI i386


>Description:

	In daily mails from root, I see

	Checking for passwordless accounts:
	[: : out of range
	[: : out of range

	And checked the scripts in /etc/periodic/security to find which
	one says 'out of range'. They are 550.ipfwlimit and
	650.ip6fwlimit.

	They use the variable ${IPFW_LOG_LIMIT} or ${IP6FW_LOG_LIMIT} and
	compare it with 0. But on my current system, the variables are
	both null strings because kernel does not have 
	"options IPFIREWALL" nor "options IPV6FIREWALL", 
	so that the 'test' fail.

>How-To-Repeat:

	/bin/sh -x /etc/periodic/550.ipfwlimit
	[snip]
	+ sysctl -n net.inet.ip.fw.verbose_limit
	+ IPFW_LOG_LIMIT=
	+ [ 1 -eq 0 -a  -ne 0 ]
	[: : out of range

	/bin/sh -x /etc/periodic/650.ip6fwlimit
	[snip]
	+ sysctl -n net.inet6.ip6.fw.verbose_limit
	+ IP6FW_LOG_LIMIT=
	+ [ 1 -eq 0 -a  -ne 0 ]
	[: : out of range


>Fix:

	If you don't have net.inet.ip.fw.verbose_limit or
	net.inet6.ip6.fw.verbose_limit, the variables ${IPFW_LOG_LIMIT}
	and ${IP6FW_LOG_LIMIT} should be 0.

	Here is a diff.

Index: 550.ipfwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/550.ipfwlimit,v
retrieving revision 1.1
diff -u -r1.1 550.ipfwlimit
--- 550.ipfwlimit	7 Dec 2001 23:57:38 -0000	1.1
+++ 550.ipfwlimit	14 Dec 2001 01:27:40 -0000
@@ -44,6 +44,7 @@
 case "$daily_status_security_ipfwlimit_enable" in
     [Yy][Ee][Ss])
 	IPFW_LOG_LIMIT=`sysctl -n net.inet.ip.fw.verbose_limit 2> /dev/null`
+	test -z "${IPFW_LOG_LIMIT}" && IPFW_LOG_LIMIT=0
 	if [ $? -eq 0 -a "${IPFW_LOG_LIMIT}" -ne 0 ]; then
 	    ipfw -a l | grep " log " | perl -n -e \
 		'/^\d+\s+(\d+)/; print if ($1 >= '$IPFW_LOG_LIMIT')' > ${TMP}
Index: 650.ip6fwlimit
===================================================================
RCS file: /home/ncvs/src/etc/periodic/security/650.ip6fwlimit,v
retrieving revision 1.1
diff -u -r1.1 650.ip6fwlimit
--- 650.ip6fwlimit	7 Dec 2001 23:57:38 -0000	1.1
+++ 650.ip6fwlimit	14 Dec 2001 01:27:59 -0000
@@ -44,6 +44,7 @@
 case "$daily_status_security_ip6fwlimit_enable" in
     [Yy][Ee][Ss])
 	IP6FW_LOG_LIMIT=`sysctl -n net.inet6.ip6.fw.verbose_limit 2> /dev/null`
+	test -z "${IP6FW_LOG_LIMIT}" && IP6FW_LOG_LIMIT=0
 	if [ $? -eq 0 -a "${IP6FW_LOG_LIMIT}" -ne 0 ]; then
 	    ip6fw -a l | grep " log " | perl -n -e \
 		'/^\d+\s+(\d+)/; print if ($1 >= '$IP6FW_LOG_LIMIT')' > ${TMP}
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message