[2/3] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic
| Message ID | 20231226194624.3273192-2-adolf.belka@ipfire.org |
|---|---|
| State | Superseded |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4T04z80c40z3wlw for <patchwork@web04.haj.ipfire.org>; Tue, 26 Dec 2023 19:46:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4T04z20XTfzqZ; Tue, 26 Dec 2023 19:46:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4T04z15Qrbz30SJ; Tue, 26 Dec 2023 19:46:37 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4T04yx0k4Qz32cc for <development@lists.ipfire.org>; Tue, 26 Dec 2023 19:46:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4T04yw59BfzB5; Tue, 26 Dec 2023 19:46:32 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1703619992; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zCw49O5t9V2LOIqMmgrBTcO2r91b9MdoC6euxPj3yUU=; b=oUbmTyD6aFFj5uLgONGnb1asGocsjU777cs/vGw+x8rFwXMFRqSvmn56dkVkUUT3nWliJZ XQlz90zoWgVmyEAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1703619992; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=zCw49O5t9V2LOIqMmgrBTcO2r91b9MdoC6euxPj3yUU=; b=PxAF6pfQTi5dkPbODqWd8Gm6hbhh6TvApMkhuvlrUqQv73W/y79N7cT9MfLw5S4Acix5TI qkgpRhzmFbLoFX6hjzAJrffSCUYcZs0zAVsnJOg6nAtF7ASL/Y0okDivXQGDpfIBoqrwlx 85qKGOhGNfXV8ImuZzN5wmtbv4uvCR1xbwrQSpppDRbMeaTGos+qCInAdMQl/Kal1H3QqS C/wMJ/kwBseaQLwRLuIvttbqY9vFH2qbJdfxB7eH+4eYZmZccLxG651bivit2QJBnZu1hS 7KW0x2tXEQeLLTUBmBVBdn5dRVhoD2D9Scl5B9YpwYYVifU8D+6wlhAiiuG+IQ== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 2/3] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic Date: Tue, 26 Dec 2023 20:46:23 +0100 Message-ID: <20231226194624.3273192-2-adolf.belka@ipfire.org> In-Reply-To: <20231226194624.3273192-1-adolf.belka@ipfire.org> References: <20231226194624.3273192-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 2JBKDMLZSUN6PVMYFHAQX6PLZRDB3MBT X-Message-ID-Hash: 2JBKDMLZSUN6PVMYFHAQX6PLZRDB3MBT X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/2JBKDMLZSUN6PVMYFHAQX6PLZRDB3MBT/> List-Archive: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Owner: <mailto:development-owner@lists.ipfire.org> List-Post: <mailto:development@lists.ipfire.org> List-Subscribe: <mailto:development-join@lists.ipfire.org> List-Unsubscribe: <mailto:development-leave@lists.ipfire.org> |
| Series |
[1/3] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic
|
|
Commit Message
Adolf Belka
Dec. 26, 2023, 7:46 p.m. UTC
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic. Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> --- src/initscripts/system/firewall | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
Comments
Hi Matthias, On 27/12/2023 02:21, Matthias Fischer wrote: > Hi Adolf, > > I tested and I'd suggest to place the if-loop a few lines higher - under > the 'Firewall logging'-section. > > I inserted your code at line ~289ff, right under DROPSPOOFEDMARTIAN. > > And now it looks as in the screenshot. I did that location in my first patch build. I changed it to the one I submitted as this log selection is tied to the only firewall command that can be turned on or off for the drop. So I thought it made more sense to be directly linked with the drop hostile selection command. However I am happy in either case. During the night I thought that maybe the log selection should be greyed out if the drop hostile was set to off as there is no point in trying to log or not log a command that is not doing any dropping. Then this morning I thought maybe this drop hostile command has been around now for long enough that we don't need to have it turned off by default for updates. Maybe this command should, like for example DROP CTINVALID etc, occur by default. In that case the selection of DROP_HOSTILE would no longer occur and the LOG_DROP_HOSTILE could then go with the other logging decision options. I will put this question into the next video conf call on 8th January. Regards, Adolf. > > jm2c ;-) > > Best, > Matthias > > On 26.12.2023 20:46, Adolf Belka wrote: >> - Dependent on the choice in optionsfw.cgi this loop will either log or not log the >> dropped hostile traffic. >> >> Fixes: bug12981 >> Tested-by: Adolf Belka <adolf.belka@ipfire.org> >> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> >> --- >> src/initscripts/system/firewall | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall >> index 50f2b3e02..352ae2496 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -177,7 +177,9 @@ iptables_init() { >> iptables -A OUTPUT -j HOSTILE >> >> iptables -N HOSTILE_DROP >> - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " >> + if [ "$LOGDROPHOSTILE" == "on" ]; then >> + iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " >> + fi >> iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" >> >> # IP Address Blocklist chains
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 50f2b3e02..352ae2496 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -177,7 +177,9 @@ iptables_init() { iptables -A OUTPUT -j HOSTILE iptables -N HOSTILE_DROP - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + if [ "$LOGDROPHOSTILE" == "on" ]; then + iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" # IP Address Blocklist chains