status-mail-rejects: appears to be broken

Ronald Klop ronald-lists at klop.ws
Wed Jan 10 21:23:02 UTC 2018 

On Mon, 08 Jan 2018 01:52:03 +0100, Chris H <bsd-lists at bsdforge.com> wrote:

> On Sun, 07 Jan 2018 14:13:01 +0100 "Ronald Klop" <ronald-lists at klop.ws>  
> said
>
>> On Sun, 17 Dec 2017 20:50:23 +0100, Chris H <bsd-lists at bsdforge.com>  
>> wrote:
>>  > I'm running on r326056, and periodic(8) doesn't seem to be working
>> > as expected;
>> > mail rejects:
>> >
>> > Checking for rejected mail hosts:
>> > usage: fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]
>> >        [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]
>> >        [-i file] [--key=file] [-N file] [--no-passive]  
>> [--no-proxy=list]
>> >        [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]  >  
>> [--no-verify-peer]
>> >        [-o file] [--referer=URL] [-S bytes] [-T seconds]
>> >        [--user-agent=agent-string] [-w seconds] URL ...
>> >        fetch [-146AadFlMmnPpqRrsUv] [-B bytes] [--bind-address=host]
>> >        [--ca-cert=file] [--ca-path=dir] [--cert=file] [--crl=file]
>> >        [-i file] [--key=file] [-N file] [--no-passive]  
>> [--no-proxy=list]
>> >        [--no-sslv3] [--no-tlsv1] [--no-verify-hostname]  >  
>> [--no-verify-peer]
>> >        [-o file] [--referer=URL] [-S bytes] [-T seconds]
>> >        [--user-agent=agent-string] [-w seconds] -h host -f file [-c  
>> dir]
>> >
>> > Also, 520.pfdenied doesn't produce any output. In fact, it doesn't  
>> appear
>> > to be run at all.
>> >
>> > Any thoughts, or advice on how to best proceed?
>> >
>> > Thanks!
>> >
>> > --Chris
>>  This looks the same as what I experienced. It will be fixed by  
>> upgrading  until at least this commit:
>>  http://www.secnetix.de/olli/FreeBSD/svnews/index.py?r=326343
> It appears that you indicate anything past, or including r326343  
> resolves this


Indeed. That resolves the error about 'fetch'. Which came from the ntpd  
leaptime file update periodic script in my case.


> I'll look into it.
> But FWIW I was able to get etc/periodic/security/520.pfdenied output  
> working
> with the following diff(1):


I don't use pf, so I can't comment on this. I hope somebody else can, but  
I guess it will attract more eyes if you repost with a subject about  
520.pfdenied or something similar.


Regards,
Ronald.



> --- /etc/periodic/security/520.pfdenied.orig	2017-11-21  
> 06:57:04.000000000 -0800
> +++ /etc/periodic/security/520.pfdenied	2017-03-29 16:22:50.000000000  
> -0700
> @@ -24,7 +24,7 @@
>  # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
>  # SUCH DAMAGE.
>  #
> -# $FreeBSD: head/etc/periodic/security/520.pfdenied 306696 2016-10-04  
> 23:12:35Z lidl $
> +# $FreeBSD: head/etc/periodic/security/520.pfdenied 290405 2015-11-05  
> 17:37:14Z lidl $
>  #
>   # If there is a global system configuration file, suck it in.
> @@ -44,13 +44,8 @@
>  if check_yesno_period security_status_pfdenied_enable
>  then
>  	TMP=`mktemp -t security`
> -	for _a in "" $(pfctl -a "blacklistd" -sA 2>/dev/null)
> -	do
> -		pfctl -a ${_a} -sr -v -z 2>/dev/null | \
> -		nawk '{if (/^block/) {buf=$0; getline; gsub(" +"," ",$0); if ($5 > 0)  
> print buf$0;} }' >> ${TMP}
> -	done
> -	if [ -s ${TMP} ]; then
> -		check_diff new_only pf ${TMP} "${host} pf denied packets:"
> +	if pfctl -sr -v 2>/dev/null | nawk '{if (/^block/) {buf=$0; getline;  
> gsub(" +"," ",$0); print buf$0;} }' > ${TMP}; then
> +	  check_diff new_only pf ${TMP} "${host} pf denied packets:"
>  	fi
>  	rc=$?
>  	rm -f ${TMP}
>
> Thanks for taking the time to reply, Ronald!
>>  Ronald.
>>
> --Chris
>

More information about the freebsd-current mailing list