From patchwork Sun Jan 21 11:45:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7474 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4j1Npsz3wmD for ; Sun, 21 Jan 2024 11:46:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4d3xqnz1jC; Sun, 21 Jan 2024 11:46:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4d3Qb5z304Y; Sun, 21 Jan 2024 11:46:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4W04lVz300V for ; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4V5F5Rzmr; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oHyhYA/Vb584DNllzOrD8Es5Qeeh7OyJhMKk9QeSHB0=; b=+9AwZ2ksKgesbweJmpazw1Yutezn2IvHYD9HVLZyE6nixROjPArDSMRH9vXtesSUktdxpj G2BA4pFupsPgAnCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oHyhYA/Vb584DNllzOrD8Es5Qeeh7OyJhMKk9QeSHB0=; b=lZ/lO0K4nbOdMu37Dl0L5Muo/Xcd2gsfiKf8wHFrHvA7Rm4XcnVIDWpvLpZwadJfKba5hW b+vhX+N+MM8eZ4ctWOBuuD0+XK2rqkKy0Dvo/iqoZSpn5wDg2Wq6MjhFsEX42VGRPXuVMx BoYREePjixFGzTAx7RDydyaFZwYkyUe3w4CpF+OvmKNQRijIjaLKWYhEytE6qRSpDTjm3e bngCw/aWNzT6Vr9FuByGmYzZJmEU0vUF3uQHQrTEDbzT7uTsGY1P2Igc67XACv6TLR77an xh1LcAG/xWel0nuFQ9J9LzbAMQA2njR05dw3KRjJiV4toiTkwX26r0bTaQ0F6g== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 3/7] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic Date: Sun, 21 Jan 2024 12:45:49 +0100 Message-ID: <20240121114553.5182-3-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: C45SLQK5666B62GTIQON3VH55KCNMHX7 X-Message-ID-Hash: C45SLQK5666B62GTIQON3VH55KCNMHX7 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This v3 version now has two if loops allowing logging of incoming drop hostile or outgoing drop hostile or both or neither. - Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch --- src/initscripts/system/firewall | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 50f2b3e02..840ae3150 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -176,9 +176,18 @@ iptables_init() { iptables -A FORWARD -j HOSTILE iptables -A OUTPUT -j HOSTILE - iptables -N HOSTILE_DROP - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " - iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" + iptables -N HOSTILE_DROP_IN + if [ "$LOGDROPHOSTILEIN" == "on" ]; then + iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE" + + iptables -N HOSTILE_DROP_OUT + if [ "$LOGDROPHOSTILEOUT" == "on" ]; then + iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE" + # IP Address Blocklist chains iptables -N BLOCKLISTIN