The /etc/init.d/p0f script from net-analyzer/p0f-2.0.8-r1 borrows a list of bugs and limitations: 1) it can't stop the running p0f service. Worst, it doesn't even detect that a p0f service is already running, such that "/etc/init.d/p0f restart" would easily spawn a new server; 2) p0f logically depends on network interfaces being up, but this isn't stated in any depend() function in the init script itself; 3) the script attempts to build a rule to exclude traffic sourcing from the local interfaces. It uses 'ifconfig' to do so, which unfortunately doesn't report interface aliases; 4) it clearly allows defining a p0f logfile in /etc/conf.d/p0f, while nowadays most of the software using p0f (amavis, spamassassin) don't use the logfile anymore, but instead issue p0f queries via a socket interface; 5) it handles the BpfFilter variable in a way which may be unreliable in case it contains two or more rules "OR"ed together; Reproducible: Always Steps to Reproduce:
Created attachment 231973 [details] The fixed and improved p0f init script I'm attaching an updated version of the /etc/init.d/p0f script which fixes these bugs and limitations. It is meant to be compatible with respect to any user-configured value in /etc/conf.d/p0f, but it also allows some more config entries to be defined. These are the recognized variables from /etc/conf.d/p0f: P0FDEVICE: same meaning as before; P0FOPTIONS: same meaning as before, but know options "-t" and "-l" are on by default; P0FLOGFILE: the pathname of the p0f logfile. As previous, it defaults to "/var/log/p0f". Actually, definiting it the null device ("/dev/null"), turns logfile output off; BpfFilter: same meaning as before, but know setting it to "dst port smtp or dst port http" works the way it is meant to; P0FUSER: (new) the user the p0f daemon should change (and chroot) after startup. No default (i.e.: the running user); P0FSOCKET: (new) the socket p0f should create and use to reply to queries from external processes. Defaults to no queries via socket; P0FSOCKETMODE: (new) the file mode to be enforced in the socket file. Default 0660. Meaningful only when P0FSOCKET is also set. p0f creates a socket with a weird mode of 0777 (which, with default umask, is 0755): execute bits are useless in sockets, and this way the socket doesn't allow non-P0FUSER processes to issue queries, which is a limit in most environments (i.e.: spam detection boxes). Please note that p0f may run in a jail thanks to the P0FUSER setting and that the socket is a query-only interface. There is no evident reason to limit its accessability;
Can you refresh your work for p0f-3.00_rc5 ?
Created attachment 299151 [details] A baselayout-2 p0f init script for net-analyzer/p0f-3.00_rc5 Here it is. It seems to work to me. Please note that many p0f runstring options got changed in meaning in ver 3.x, so that one may have to revise the P0FOPTIONS setting in /etc/conf.d/p0f before using this script. Also, this script implements a work-around for bug#320391 .
... which is bug#399165 actually...
Created attachment 299363 [details] A baselayout-2 p0f init script for net-analyzer/p0f-3.00_rc5 - fixed This is a new version of the script, which fixes a small bug in handling P0FOPTIONS and attempts to be less bash-dependant.
Hi, I found some issues in this script. First issue is location of `ip`, now it is in /bin. Second issue is wrong handling tun interfaces, I'm getting filter string: host not ( 127.0.0.1 or 81.4.0.0 or 81.1.0.0 or 10.254.248.1 or peer or 10.254.248.2 or 10.10.0.1 or peer or 10.10.0.2 ) As for know I didn't find working solution.
