1.2.1 upgrade resulted in outdated bogon list.
-
I updated a 1.2 system to 1.2.1 and shortly after found a client could not connect to us. I started digging around and found they were getting blocked by the bogon filter on the WAN. They were on a recently allocated block, 173.0.0.0/8. I never had a problem when running the 1.2 system, as it was regularly updating the bogons, but the upgrade put in an old version. Manually kicking the bogon updater resulted in one add and eleven deletes.
-
Where can we start the bogon updater manually?
-
You can find the source of the updater in /etc/crontab
-
Really?
Which of those lines does it? ;-)
* root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 ssh
* root /etc/pppoerestart
* root /usr/local/sbin/squid -k rotate
* root /usr/bin/perl /usr/local/www/lightsquid/lightparser.pl today -
Looks like you are missing some entries. Here is my /etc/crontab:
$ cat /etc/crontab
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME=/var/log
#minute hour mday month wday who commandpfSense specific crontab entries
Created: December 26, 2008, 6:38 pm
0 * * * * root /usr/bin/nice -n20 newsyslog
1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
*/60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
*/5 * * * * root /usr/local/bin/checkreload.sh
*/5 * * * * root /etc/ping_hosts.sh
*/140 * * * * root /usr/local/sbin/reset_slbd.shIf possible do not add items to this file manually.
If you do so, this file must be terminated with a blank line (e.g. new line)
-
I copied /etc/rc.update_bogons.sh to a temporary script, removed the sleep and ran it.
-
Thanks!
Dec 30 12:04:50 root: 11 addresses deleted.
Dec 30 12:04:50 root: Bogons file downloaded: 1 addresses added.
Dec 30 12:04:48 root: rc.get_bogons.sh is beginning the update cycle.
Dec 30 12:04:48 root: rc.get_bogons.sh is starting up.Actually, I seem to be missing some cron jobs on all the machines I updates from 1.2rel or 1.2.1RCs
Could be an update glitch? Scott? ;-)Time for a fresh install…
-
Updating from 1.2.1 (with updated bogon list) to 1.2.2 resulted in the same problem with old bogons. Just a FYI.
-
I updated it in CVS a few days ago. Existing installs will always update to the latest on the first of every month, or you can run it manually to update right away.
-
If you don't have the update in /etc/crontab, it's because it's in the cron entries in your config.xml. Newer installs won't have it in /etc/crontab but older ones will. It works the same either way.
-
I've a 1.2.2 version.
My /etc/crontab is empty:
SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log #minute hour mday month wday who command #
and I couln't find any cron entry in config.xml
I need a fresh install?
-
and I couln't find any cron entry in config.xml
I need a fresh install?
Shouldn't. You sure there isn't anything in your config like this:
<cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslogThat came from a years-old install upgraded to 1.2.2.</cron>
-
@cmb:
Shouldn't. You sure there isn't anything in your config like this:
<cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslogThat came from a years-old install upgraded to 1.2.2.</cron>
No, it isn't.
I've only
For example I've bogon filtering activated, but neither in cron or in config.xml appear the script to update them.
What I can do? -
Backup your config, open it in a text editor and replace <cron>with this:
<cron><minute>0</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 newsyslog <minute>1,31</minute> <hour>0-5</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 adjkerntz -a <minute>1</minute> <hour>3</hour> <mday>1</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout <minute>1</minute> <hour>1</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot <minute>*/60</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/local/bin/checkreload.sh <minute>*/5</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/etc/ping_hosts.sh <minute>*/300</minute> <hour>*</hour> <mday>*</mday> <month>*</month> <wday>*</wday> <who>root</who> <command></command>/usr/local/sbin/reset_slbd.sh</cron>
Will see if I can figure out how you don't have that.</cron>
-
Thank you!
Just added!