diff mbox series

[v3,1/7] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

Message ID 20240121114553.5182-1-adolf.belka@ipfire.org
State Staged
Commit 89645d1bbfbb26bdf0351fe01b69978f73fc0074
Headers
Series [v3,1/7] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic |

Commit Message

Adolf Belka Jan. 21, 2024, 11:45 a.m. UTC 
  - This v3 version has split the logging choice for drop hostile to separate the logging of
   incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
   However the logs were being swamped by the logging of drop hostile making analysis
   difficult. So incoming drop hostile was desired to not be logged. However logging of
   outgoing drop hostile was desired to identify if clients on the internal lan were
   infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
   logged or not.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka@ipfire.org
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

Comments

Bernhard Bitsch Jan. 22, 2024, 1:43 p.m. UTC | #1 
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>


Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This v3 version has split the logging choice for drop hostile to separate the logging of
>     incoming drop hostile and outgoing drop hostile.
> - The bug originator had no port forwards so all hostile would be dropped normally anyway.
>     However the logs were being swamped by the logging of drop hostile making analysis
>     difficult. So incoming drop hostile was desired to not be logged. However logging of
>     outgoing drop hostile was desired to identify if clients on the internal lan were
>     infected with malware trying to reach home.
> - Added option with drop hostile section to decide if the dropped traffic should be
>     logged or not.
> 
> Fixes: bug12981
> Tested-by: Adolf Belka <adolf.belka@ipfire.org
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++
>   1 file changed, 26 insertions(+)
> 
> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> index fbff67b2f..52ac1b01e 100644
> --- a/html/cgi-bin/optionsfw.cgi
> +++ b/html/cgi-bin/optionsfw.cgi
> @@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) {
>   if (!$settings{'DROPHOSTILE'}) {
>   	$settings{'DROPHOSTILE'} = 'off';
>   }
> +if (!$settings{'LOGDROPHOSTILEIN'}) {
> +	$settings{'LOGDROPHOSTILEIN'} = 'on';
> +}
> +if (!$settings{'LOGDROPHOSTILEOUT'}) {
> +	$settings{'LOGDROPHOSTILEOUT'} = 'on';
> +}
>   if (!$settings{'LOGDROPCTINVALID'}) {
>   	$settings{'LOGDROPCTINVALID'} = 'on';
>   }
> @@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
>   $checked{'DROPHOSTILE'}{'off'} = '';
>   $checked{'DROPHOSTILE'}{'on'} = '';
>   $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
> +$checked{'LOGDROPHOSTILEIN'}{'off'} = '';
> +$checked{'LOGDROPHOSTILEIN'}{'on'} = '';
> +$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'";
> +$checked{'LOGDROPHOSTILEOUT'}{'off'} = '';
> +$checked{'LOGDROPHOSTILEOUT'}{'on'} = '';
> +$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'";
>   $checked{'LOGDROPCTINVALID'}{'off'} = '';
>   $checked{'LOGDROPCTINVALID'}{'on'} = '';
>   $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
> @@ -279,6 +291,20 @@ END
>   			<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
>   		</td>
>   	</tr>
> +	<tr>
> +		<td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td>
> +		<td align='left'>
> +			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/
> +			<input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'}
> +		</td>
> +	</tr>
> +	<tr>
> +		<td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td>
> +		<td align='left'>
> +			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/
> +			<input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'}
> +		</td>
> +	</tr>
>   </table>
>   <br/>
>
diff mbox series

Patch

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index fbff67b2f..52ac1b01e 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -94,6 +94,12 @@  if (!$settings{'DROPSPOOFEDMARTIAN'}) {
 if (!$settings{'DROPHOSTILE'}) {
 	$settings{'DROPHOSTILE'} = 'off';
 }
+if (!$settings{'LOGDROPHOSTILEIN'}) {
+	$settings{'LOGDROPHOSTILEIN'} = 'on';
+}
+if (!$settings{'LOGDROPHOSTILEOUT'}) {
+	$settings{'LOGDROPHOSTILEOUT'} = 'on';
+}
 if (!$settings{'LOGDROPCTINVALID'}) {
 	$settings{'LOGDROPCTINVALID'} = 'on';
 }
@@ -125,6 +131,12 @@  $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
 $checked{'DROPHOSTILE'}{'off'} = '';
 $checked{'DROPHOSTILE'}{'on'} = '';
 $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEIN'}{'off'} = '';
+$checked{'LOGDROPHOSTILEIN'}{'on'} = '';
+$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEOUT'}{'off'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{'on'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'";
 $checked{'LOGDROPCTINVALID'}{'off'} = '';
 $checked{'LOGDROPCTINVALID'}{'on'} = '';
 $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
@@ -279,6 +291,20 @@  END
 			<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
 		</td>
 	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
 </table>
 <br/>