1.2.1 upgrade resulted in outdated bogon list.



  • I updated a 1.2 system to 1.2.1 and shortly after found a client could not connect to us. I started digging around and found they were getting blocked by the bogon filter on the WAN. They were on a recently allocated block, 173.0.0.0/8. I never had a problem when running the 1.2 system, as it was regularly updating the bogons, but the upgrade put in an old version. Manually kicking the bogon updater resulted in one add and eleven deletes.



  • Where can we start the bogon updater manually?



  • You can find the source of the updater in /etc/crontab



  • Really?

    Which of those lines does it?  ;-)

    *      root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 ssh
      *      root    /etc/pppoerestart
      *      root    /usr/local/sbin/squid -k rotate
      *      root    /usr/bin/perl /usr/local/www/lightsquid/lightparser.pl today



  • Looks like you are missing some entries.  Here is my /etc/crontab:

    $ cat /etc/crontab
    SHELL=/bin/sh
    PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
    HOME=/var/log
    #minute hour    mday    month  wday    who      command

    pfSense specific crontab entries

    Created: December 26, 2008, 6:38 pm

    0 * * * * root /usr/bin/nice -n20 newsyslog
    1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a
    1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh
    */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
    1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update

    */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot

    */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c

    */5 * * * * root /usr/local/bin/checkreload.sh
    */5 * * * * root /etc/ping_hosts.sh
    */140 * * * * root /usr/local/sbin/reset_slbd.sh

    If possible do not add items to this file manually.

    If you do so, this file must be terminated with a blank line (e.g. new line)



  • I copied /etc/rc.update_bogons.sh to a temporary script, removed the sleep and ran it.



  • Thanks!

    Dec 30 12:04:50 root: 11 addresses deleted.
    Dec 30 12:04:50 root: Bogons file downloaded: 1 addresses added.
    Dec 30 12:04:48 root: rc.get_bogons.sh is beginning the update cycle.
    Dec 30 12:04:48 root: rc.get_bogons.sh is starting up.

    Actually, I seem to be missing some cron jobs on all the machines I updates from 1.2rel or 1.2.1RCs
    Could be an update glitch?  Scott? ;-)

    Time for a fresh install…



  • Updating from 1.2.1 (with updated bogon list) to 1.2.2 resulted in the same problem with old bogons. Just a FYI.



  • I updated it in CVS a few days ago.  Existing installs will always update to the latest on the first of every month, or you can run it manually to update right away.



  • If you don't have the update in /etc/crontab, it's because it's in the cron entries in your config.xml. Newer installs won't have it in /etc/crontab but older ones will. It works the same either way.



  • I've a 1.2.2 version.

    My /etc/crontab is empty:

    SHELL=/bin/sh
    PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin
    HOME=/var/log
    #minute hour    mday    month   wday    who      command
    #
    
    

    and I couln't find any cron entry in config.xml

    I need a fresh install?



  • @Emab:

    and I couln't find any cron entry in config.xml

    I need a fresh install?

    Shouldn't. You sure there isn't anything in your config like this:

    <cron><minute>0</minute>
                            <hour></hour>
                            <mday>
    </mday>
                            <month></month>
                            <wday>
    </wday>
                            <who>root</who>
                            <command></command>/usr/bin/nice -n20 newsyslog

    That came from a years-old install upgraded to 1.2.2.</cron>



  • @cmb:

    Shouldn't. You sure there isn't anything in your config like this:

    <cron><minute>0</minute>
                            <hour></hour>
                            <mday>
    </mday>
                            <month></month>
                            <wday>
    </wday>
                            <who>root</who>
                            <command></command>/usr/bin/nice -n20 newsyslog

    That came from a years-old install upgraded to 1.2.2.</cron>

    No, it isn't.

    I've only

    For example I've bogon filtering activated, but neither in cron or in config.xml appear the script to update them.
    What I can do?



  • Backup your config, open it in a text editor and replace <cron>with this:

    	 <cron><minute>0</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 newsyslog 
    		 <minute>1,31</minute>
    			<hour>0-5</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 adjkerntz -a 
    		 <minute>1</minute>
    			<hour>3</hour>
    			<mday>1</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 
    		 <minute>1</minute>
    			<hour>1</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 
    		 <minute>*/60</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c 
    		 <minute>*/5</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/local/bin/checkreload.sh 
    		 <minute>*/5</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/etc/ping_hosts.sh 
    		 <minute>*/300</minute>
    			<hour>*</hour>
    			<mday>*</mday>
    			<month>*</month>
    			<wday>*</wday>
    			<who>root</who>
    			<command></command>/usr/local/sbin/reset_slbd.sh</cron> 
    
    

    Will see if I can figure out how you don't have that.</cron>



  • Thank you!
    Just added!


Locked