(已解决，漏写ipfw路径)我漏掉了什么：导致Py防火墙脚本在crontab中得不到正确结果？

ljwsy

环境

fb# uname -a
FreeBSD fb.ljzx.gx.cn 7.2-RELEASE FreeBSD 7.2-RELEASE #1: Thu May 21 16:52:12 CST 2009     www@fb.xxxx.yyyy.xxx:/usr/obj/usr/src/sys/FB  i386
fb# pkg_info | grep python
python25-2.5.4      An interpreted object-oriented programming language
python26-2.6.1      An interpreted object-oriented programming language
python30-3.0        An interpreted object-oriented programming language
fb# pkg_info | grep MySQL
freeradius-mysql-1.1.7_3 A free RADIUS server implementation with MySQL support
phpMyAdmin-3.1.2    A set of PHP-scripts to manage MySQL over the web
py25-MySQLdb-1.2.2  Access a MySQL database through Python
fb# python -V
Python 2.5.4
fb# crontab -l
...
* * * * * /root/python/sshipfw.py

Py防火墙脚本

1. #!/usr/local/bin/python
   
2. import MySQLdb
   
3. import datetime
   
4. import commands
   
5. 
   
6. log=open('/var/log/sshdipfw.log','a')
   
7. #脚本日志
   
8. ...
   
9. #/var/log/auth.log入mysql库代码，主要记录：时间、IP、登陆关键字及其他辅助字段
   
10. ...
    
11. splittime=[(2,1,10),(5,1,10),(10,1,10),(30,2,10),(60,2,20),(120,2,20),(720,4,20),(1440,4,20),(2880,4,20),(7200,8,20),(21600,16,20)]
    
12. #策略定义 [(minute,times,limit)...]，在minute分钟内有times个记录则该IP被认为是“黑名单”（经过去重），每个策略只提取不多于limit个记录，以防止防火墙规则表过大
    
13. 
    
14. done=['60.29.0.22', '221.238.132.123', '220.165.5.7', '218.26.114.75', '124.219.23.68', '122.226.122.250', '122.226.146.166', '122.226.34.150', '61.152.188.85', '110.76.38.87', '60.195.252.242', '222.221.2.210', '221.182.2.16', '221.236.10.76', '220.182.50.83', '220.85.73.53', '200.107.9.140', '114.255.122.10']
    
15. #done[]是从库中提出的“黑名单”，上面是我提取到的实时IP
    
16. 
    
17. a=[
    
18. 'ipfw -q -f flush',
    
19. 'ipfw -q add 100 allow ip from any to any via lo0',
    
20. 'ipfw -q add 400 deny ip from any to ::1',
    
21. 'ipfw -q add 500 deny ip from ::1 to any',
    
22. 'ipfw -q add 600 allow ipv6-icmp from :: to ff02::/16',
    
23. 'ipfw -q add 700 allow ipv6-icmp from fe80::/10 to fe80::/10',
    
24. 'ipfw -q add 800 allow ipv6-icmp from fe80::/10 to ff02::/16',
    
25. 'ipfw -q add 900 allow ipv6-icmp from any to any ip6 icmp6types 1',
    
26. 'ipfw -q add 1000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136',
    
27. 'ipfw -q add 65000 allow ip from any to any'
    
28. ]
    
29. #常规规则
    
30. 
    
31. for sql in a :
    
32.         (t,tmp)=commands.getstatusoutput(sql)
    
33.         if t<0 : print >> log,"%s ipfw RUN error(%s): %s" % ( datetime.datetime.now(),t,sql)
    
34. #       print >> log,"(%s) %s" % (t,sql)
    
35. sql=1
    
36. for line in done :
    
37.         a="ipfw -q add %d deny log ip from %s to 10.0.0.251 22" % (10000+sql*10,line)
    
38.         (t,tmp)=commands.getstatusoutput(a)
    
39.         if t<0 :
    
40.                 print >> log,"%s ipfw RUN error(%s): %s" % ( datetime.datetime.now(),t,a)
    
41.         else :
    
42.                 sql+=1
    
43.        print >> log,"(%s) %s" % (t,a)
    
44. print >> log,"%s Total ipfw: %s" % (datetime.datetime.now(),sql-1)
    

复制代码

结果

fb# date && tail -1 /var/log/sshdipfw.log
Mon May 21 09:39:02 CST 2012
2012-05-21 09:39:00.998383 Total ipfw: 18

上面是当前时间及脚本日志输出。下面是防火墙，是空的，没有效果：

fb# ipfw list
65535 allow ip from any to any

然而在终端上直接运行脚本则完全正常：

fb# date && ipfw list && ./sshipfw.py && ipfw list
Mon May 21 09:41:46 CST 2012
65535 allow ip from any to any
00100 allow ip from any to any via lo0
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1
01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 2,135,136
10010 deny log logamount 100 ip from 60.29.0.22 to 10.0.0.251 dst-port 22
10020 deny log logamount 100 ip from 221.238.132.123 to 10.0.0.251 dst-port 22
10030 deny log logamount 100 ip from 220.165.5.7 to 10.0.0.251 dst-port 22
10040 deny log logamount 100 ip from 218.26.114.75 to 10.0.0.251 dst-port 22
10050 deny log logamount 100 ip from 124.219.23.68 to 10.0.0.251 dst-port 22
10060 deny log logamount 100 ip from 122.226.122.250 to 10.0.0.251 dst-port 22
10070 deny log logamount 100 ip from 122.226.146.166 to 10.0.0.251 dst-port 22
10080 deny log logamount 100 ip from 122.226.34.150 to 10.0.0.251 dst-port 22
10090 deny log logamount 100 ip from 61.152.188.85 to 10.0.0.251 dst-port 22
10100 deny log logamount 100 ip from 110.76.38.87 to 10.0.0.251 dst-port 22
10110 deny log logamount 100 ip from 60.195.252.242 to 10.0.0.251 dst-port 22
10120 deny log logamount 100 ip from 222.221.2.210 to 10.0.0.251 dst-port 22
10130 deny log logamount 100 ip from 221.182.2.16 to 10.0.0.251 dst-port 22
10140 deny log logamount 100 ip from 221.236.10.76 to 10.0.0.251 dst-port 22
10150 deny log logamount 100 ip from 220.182.50.83 to 10.0.0.251 dst-port 22
10160 deny log logamount 100 ip from 220.85.73.53 to 10.0.0.251 dst-port 22
10170 deny log logamount 100 ip from 200.107.9.140 to 10.0.0.251 dst-port 22
10180 deny log logamount 100 ip from 114.255.122.10 to 10.0.0.251 dst-port 22
65000 allow ip from any to any
65535 allow ip from any to any
fb#

我漏掉了什么？

请达人给个方向，非常感谢你的围观和指点。

ljwsy

我真的是漏掉什么关键的东西了，这一定是与crontab有关，与Py无关。

我在Py中生成ipfw.sh的shell脚本，并赋予可执行属性，在crontab中每两分钟运行一次，晕，也是不出想要的结果，ipfw规则表还是空的，但在控制台中运行ipfw.sh又正常。

ljwsy

晕，只检查ipfw的返回值，没看返回提示，返回提示明确说：ipfw: not found

哈哈，加上ipfw命令的绝对路径就OK了。

真晕！！！

fender0107401

问题描述的很好。 :wink:

ljwsy

         阴沟翻船！

lsstarboy

FreeBSD的cron这点确实不好，为什么必须写绝对路径？在PATH里搜一下不就得了？反正cron也是按用户的。

ljwsy

已成能用的脚本，欢迎围观：http://bbs.chinaunix.net/thread-3749217-1-1.html