From patchwork Tue Apr 28 11:10:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Tremer X-Patchwork-Id: 3019 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 49BJpX02KNz3yC1 for ; Tue, 28 Apr 2020 11:10:27 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 49BJpV4sZ6z1L4; Tue, 28 Apr 2020 11:10:26 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 49BJpV3MtWz2y3N; Tue, 28 Apr 2020 11:10:26 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49BJpS24cKz2y3N for ; Tue, 28 Apr 2020 11:10:24 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 49BJpR3q7gz1L4; Tue, 28 Apr 2020 11:10:23 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1588072223; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=83zL0Ilo7DIqszciF0qzldf5ShWnaDuyGQHZcYAPvEI=; b=fndvOOyetoojWyj1AXlojMp+LXh0XvfaSqGM0a7ykaPkJuAnbDcUdQB3FJejkedRVEED7k kbQJBG5qrs+ph7BQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1588072223; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc; bh=83zL0Ilo7DIqszciF0qzldf5ShWnaDuyGQHZcYAPvEI=; b=p8HY3/d0cYPugRPfUtct3WTIANmbeMAyH9+62I32yYMsxHkN9PM+6koDHVQenJ+9P62WF9 3MxqSYmeIV37JGCbzNDnvooM6KHuz1F0TjT6PeAOPViXUQr6r0XEYpzX/TqiDjDqv8Jxkp Z6Ijl0G8q6fJ24Icet5ZdK9Tk67L8erLHts0a8EvnYMW0hXSzldWhHrjYwVJSYK3HnYZpB z7OVQoNLKpyITyIa4RlGP2E4LEA9ueLOK077/TVgMLanE5bghR6VJeqth9kao18R3LKa1l GO9TYdk1rgpzl9J+Pq74wk+SgoUTw/AkEkXkedyHHGM+3qhDQRi1bu2ScjLW1w== From: Michael Tremer To: development@lists.ipfire.org Subject: [PATCH] firewall: Log accepted connections even when NAT is active Date: Tue, 28 Apr 2020 12:10:15 +0100 Message-Id: <20200428111015.327-1-michael.tremer@ipfire.org> Authentication-Results: mail01.ipfire.org; auth=pass smtp.mailfrom=michael.tremer@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael Tremer Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Michael Tremer --- config/firewall/rules.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 6129af861..387a8f92b 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -511,7 +511,7 @@ sub buildrules { push(@options, @destination_options); # Insert firewall rule. - if ($LOG && !$NAT) { + if ($LOG) { run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '"); } run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options -j $target"); @@ -522,7 +522,7 @@ sub buildrules { # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access # for the firewall, too. if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) { - if ($LOG && !$NAT) { + if ($LOG) { run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '"); } run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target"); @@ -530,7 +530,7 @@ sub buildrules { # Likewise. if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) { - if ($LOG && !$NAT) { + if ($LOG) { run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '"); } run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");