From patchwork Sun Jan 21 11:45:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7473 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4g32dnz3wmD for ; Sun, 21 Jan 2024 11:46:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4b0gJhzj5; Sun, 21 Jan 2024 11:46:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4Z745hz302j; Sun, 21 Jan 2024 11:46:06 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4V6knmz300l for ; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4T5DHdzFD; Sun, 21 Jan 2024 11:46:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837561; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=iyIBd34WgdcLXQ16bQtfm/PK6ItOEPU8Uso3evqC5nM=; b=iCMC0Nq7RBQ654KdvO01sH1v4h+XwH/Ts8kQuWHiaX512UJgGMFsUv/xe3GlTiooJNGonh 8Mi2LjBd3UFPdjAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837561; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=iyIBd34WgdcLXQ16bQtfm/PK6ItOEPU8Uso3evqC5nM=; b=Zr/c2rm3/cCjF/BVQ/Nndv3Z+UYUK2oM36cHj1WaJ9ecougcsMNBGJjcVgdNfCjxeVRSAO UBfw4egSt8jYP2Jl/EfNfQ+LkdZv5s44vbwXUsU4ub61nNiLdz8OkIQFVkeSzxyrAbvS7w qpAMtLip5GOwiwpZ0p/2Br6elBR5sWOhUjVXQv6mF/lLGs6TxnkCHmdSQZHhJrP1l5WFrF uBje8aIsSxv1nS/GIqe1ZTE7Q6hBrDKqZfDVzt6BedSfdpKekEagqdR19B4CCVEuLhKLdE /SL3cEHtdOK8soSHf1CME3nJxY1btOcHS38xxM5RWNvgDkvXGQOB6f2X2d/Sdg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 1/7] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic Date: Sun, 21 Jan 2024 12:45:47 +0100 Message-ID: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: QEIK6EAJ564E52AF2QC4ZDRCRPVITW4C X-Message-ID-Hash: QEIK6EAJ564E52AF2QC4ZDRCRPVITW4C X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This v3 version has split the logging choice for drop hostile to separate the logging of incoming drop hostile and outgoing drop hostile. - The bug originator had no port forwards so all hostile would be dropped normally anyway. However the logs were being swamped by the logging of drop hostile making analysis difficult. So incoming drop hostile was desired to not be logged. However logging of outgoing drop hostile was desired to identify if clients on the internal lan were infected with malware trying to reach home. - Added option with drop hostile section to decide if the dropped traffic should be logged or not. Fixes: bug12981 Tested-by: Adolf Belka Reviewed-by: Bernhard Bitsch Tested-by: Bernhard Bitsch --- html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fbff67b2f..52ac1b01e 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) { if (!$settings{'DROPHOSTILE'}) { $settings{'DROPHOSTILE'} = 'off'; } +if (!$settings{'LOGDROPHOSTILEIN'}) { + $settings{'LOGDROPHOSTILEIN'} = 'on'; +} +if (!$settings{'LOGDROPHOSTILEOUT'}) { + $settings{'LOGDROPHOSTILEOUT'} = 'on'; +} if (!$settings{'LOGDROPCTINVALID'}) { $settings{'LOGDROPCTINVALID'} = 'on'; } @@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec $checked{'DROPHOSTILE'}{'off'} = ''; $checked{'DROPHOSTILE'}{'on'} = ''; $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEIN'}{'off'} = ''; +$checked{'LOGDROPHOSTILEIN'}{'on'} = ''; +$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEOUT'}{'off'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{'on'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'"; $checked{'LOGDROPCTINVALID'}{'off'} = ''; $checked{'LOGDROPCTINVALID'}{'on'} = ''; $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'"; @@ -279,6 +291,20 @@ END $Lang::tr{'off'} + + $Lang::tr{'log drop hostile in'} + + $Lang::tr{'on'} / + $Lang::tr{'off'} + + + + $Lang::tr{'log drop hostile out'} + + $Lang::tr{'on'} / + $Lang::tr{'off'} + +
From patchwork Sun Jan 21 11:45:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7472 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4d1KTnz3wmD for ; Sun, 21 Jan 2024 11:46:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4Z03cWzkc; Sun, 21 Jan 2024 11:46:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4Y3xW3z307G; Sun, 21 Jan 2024 11:46:05 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4V6hYnz300V for ; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4V3cwgzkc; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X/Nxfyal9sOBnJGpuBapT7S03z+RN4QKVYtpd9YyKhQ=; b=7D4+1B0nkjuKH17MUr81pfsAUH77aFX0ZZdGP4T/Sp+6HlVntw1C35ojmJOPk2dSA/JQv5 JXoZYe4L7aFeGsBg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X/Nxfyal9sOBnJGpuBapT7S03z+RN4QKVYtpd9YyKhQ=; b=V7CcaAsF39oUQ4BHkdSWdgBnTyvlxtrh8KPtYCDix/ji06OdMNIMaROUSRZGAVCqnW+sRV 61rHTWwp7xS8TZJ/dpxVCjdI6+Y5s5FCiLvvAx9miHNDjp4E3SkVI3lxssEic6/QxZW1Y+ KahSSrzvAc6DcCh5WaB57Yx0TXJTp6Kbc6Zz0vZBSDxoFeYUGEmX7yl4yq1Tx7aoSQi+qW lmyRG9EQruezc8Nl75U0ShFfslQuhSA94wIAiamqXqoYFlKgQKbRKF0Yjm4PiZpWDgbwJ2 3oDFbaXTXOooin/NgvyldWuriNOiMg/I+LydCvgy9P6GA8zDesn7qYB8CFGSMA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 2/7] rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile Date: Sun, 21 Jan 2024 12:45:48 +0100 Message-ID: <20240121114553.5182-2-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: T3FXVOYUCPHFLGR76L5LPY3FEWJ65U4V X-Message-ID-Hash: T3FXVOYUCPHFLGR76L5LPY3FEWJ65U4V X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each independently. Fixes: bug12981 Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Acked-by: Bernhard Bitsch --- config/firewall/rules.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2..a47c260a1 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -726,8 +726,8 @@ sub drop_hostile_networks () { &ipset_restore($HOSTILE_CCODE); # Check traffic in incoming/outgoing direction and drop if it matches - run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP"); - run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP"); + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN"); + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT"); } sub ipblocklist () { From patchwork Sun Jan 21 11:45:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7474 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4j1Npsz3wmD for ; Sun, 21 Jan 2024 11:46:13 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4d3xqnz1jC; Sun, 21 Jan 2024 11:46:09 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4d3Qb5z304Y; Sun, 21 Jan 2024 11:46:09 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4W04lVz300V for ; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4V5F5Rzmr; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oHyhYA/Vb584DNllzOrD8Es5Qeeh7OyJhMKk9QeSHB0=; b=+9AwZ2ksKgesbweJmpazw1Yutezn2IvHYD9HVLZyE6nixROjPArDSMRH9vXtesSUktdxpj G2BA4pFupsPgAnCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837562; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oHyhYA/Vb584DNllzOrD8Es5Qeeh7OyJhMKk9QeSHB0=; b=lZ/lO0K4nbOdMu37Dl0L5Muo/Xcd2gsfiKf8wHFrHvA7Rm4XcnVIDWpvLpZwadJfKba5hW b+vhX+N+MM8eZ4ctWOBuuD0+XK2rqkKy0Dvo/iqoZSpn5wDg2Wq6MjhFsEX42VGRPXuVMx BoYREePjixFGzTAx7RDydyaFZwYkyUe3w4CpF+OvmKNQRijIjaLKWYhEytE6qRSpDTjm3e bngCw/aWNzT6Vr9FuByGmYzZJmEU0vUF3uQHQrTEDbzT7uTsGY1P2Igc67XACv6TLR77an xh1LcAG/xWel0nuFQ9J9LzbAMQA2njR05dw3KRjJiV4toiTkwX26r0bTaQ0F6g== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 3/7] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic Date: Sun, 21 Jan 2024 12:45:49 +0100 Message-ID: <20240121114553.5182-3-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: C45SLQK5666B62GTIQON3VH55KCNMHX7 X-Message-ID-Hash: C45SLQK5666B62GTIQON3VH55KCNMHX7 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This v3 version now has two if loops allowing logging of incoming drop hostile or outgoing drop hostile or both or neither. - Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch --- src/initscripts/system/firewall | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 50f2b3e02..840ae3150 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -176,9 +176,18 @@ iptables_init() { iptables -A FORWARD -j HOSTILE iptables -A OUTPUT -j HOSTILE - iptables -N HOSTILE_DROP - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " - iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" + iptables -N HOSTILE_DROP_IN + if [ "$LOGDROPHOSTILEIN" == "on" ]; then + iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE" + + iptables -N HOSTILE_DROP_OUT + if [ "$LOGDROPHOSTILEOUT" == "on" ]; then + iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE" + # IP Address Blocklist chains iptables -N BLOCKLISTIN From patchwork Sun Jan 21 11:45:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7475 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4k1FVSz3wyG for ; Sun, 21 Jan 2024 11:46:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4g6n3Wz1sM; Sun, 21 Jan 2024 11:46:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4g6D28z302j; Sun, 21 Jan 2024 11:46:11 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4W1Symz300V for ; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4V6p0jzkc; Sun, 21 Jan 2024 11:46:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CTT3ytoTDeBUNFRqPyDqGI/VQOCtBpomj2ybCFxl9xc=; b=Ee4UgY79K9euhRXv81bJpSYquLgbdoJ/nEjenQTHP2QAdWwrSStmR+GYWhEiOepjwQDsZf MJ2yZcLbZ/drNQCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CTT3ytoTDeBUNFRqPyDqGI/VQOCtBpomj2ybCFxl9xc=; b=Hum1YJ0hUMsAq0WklXXIhw8VKk50sIlSNin5KzOaA4L1vrd+YSJsuY2piniiqRyT358FRV YRE89fEn/WH+/Fo+58nNnnbJMdP9wHAQwNldWlBtWDWbCtxnWSZ19Sm235CW9tOPB+ddhH sy+f4zhjY38goy/S/pW6bF1gOq5cFXdkQ3Blesot65AAxpVNQWwhKZla4QOfxYMWdpUj9x pjo16gHBpZ+W+SWSfgPiOnp1uPm/zWh+jnvwL9XpmsuK9xGDN4uX1heljmFM+J5NwU+azx uuugshjWEU0YfDh9gM+FiR/kPjW6b9MyEOIuyabSpjAxmTgwAo9VO0j5NuOAKw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 4/7] en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging Date: Sun, 21 Jan 2024 12:45:50 +0100 Message-ID: <20240121114553.5182-4-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: JMV4GVB4GAV3NFQLXXHAEVQ2K6PAPIYJ X-Message-ID-Hash: JMV4GVB4GAV3NFQLXXHAEVQ2K6PAPIYJ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - In this v3 version have added translations for hostile networks in and hostile networks out and log drop hostile in and log drop hostile out. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- doc/language_issues.de | 5 +++++ doc/language_issues.en | 5 ++++- doc/language_issues.es | 5 +++++ doc/language_issues.fr | 5 +++++ doc/language_issues.it | 5 ++++- doc/language_issues.nl | 5 ++++- doc/language_issues.pl | 5 ++++- doc/language_issues.ru | 5 ++++- doc/language_issues.tr | 5 ++++- doc/language_missings | 37 ++++++++++++++++++++++++++++++++----- langs/en/cgi-bin/en.pl | 5 ++++- 11 files changed, 75 insertions(+), 12 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 4fd5a0819..29bf5b8d7 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -375,6 +375,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -923,12 +924,16 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: invalid input for subscription code = Invalid input for subscription code WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional diff --git a/doc/language_issues.en b/doc/language_issues.en index b4327cb78..4f37e43f7 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1039,7 +1039,8 @@ WARNING: untranslated string: holdoff = Holdoff time (in seconds) WARNING: untranslated string: host certificate = Host Certificate WARNING: untranslated string: host ip = Host IP address WARNING: untranslated string: host to net vpn = Host-to-Net Virtual Private Network (RoadWarrior) -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: hostname = Hostname WARNING: untranslated string: hostname cant be empty = Hostname cannot be empty. WARNING: untranslated string: hostname not set = Hostname not set. @@ -1247,6 +1248,8 @@ WARNING: untranslated string: locationblock country is allowed = Incoming traffi WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: WARNING: untranslated string: log = Log +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log lines per page = Lines per page WARNING: untranslated string: log server address = Syslog server: diff --git a/doc/language_issues.es b/doc/language_issues.es index 45ffdf5d7..22b6efbc3 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -415,6 +415,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -989,8 +990,12 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired diff --git a/doc/language_issues.fr b/doc/language_issues.fr index cacfb1ec6..68514699d 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -402,6 +402,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -947,6 +948,10 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.it b/doc/language_issues.it index 68ff12c86..fed7f4195 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1068,7 +1068,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1159,6 +1160,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d1a637215..9f9fce689 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1073,7 +1073,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1166,6 +1167,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 893f73211..48c0974e8 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1213,7 +1213,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1315,6 +1316,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 64c9b5095..a1112396c 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1210,7 +1210,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1313,6 +1314,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter diff --git a/doc/language_issues.tr b/doc/language_issues.tr index eadbd33c7..649ebf6b4 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1010,7 +1010,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1089,6 +1090,8 @@ WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: meltdown = Meltdown WARNING: untranslated string: mitigated = Mitigated diff --git a/doc/language_missings b/doc/language_missings index 28ae29c2b..8a92fde97 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -58,6 +58,8 @@ < extrahd because it it outside the allowed mount path < g.dtm < g.lite +< hostile networks in +< hostile networks out < ids automatic rules update < ids subscription code required < insert removable device @@ -66,6 +68,8 @@ < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < link-layer encapsulation +< log drop hostile in +< log drop hostile out < netbios nameserver daemon < no entries < notes @@ -114,7 +118,11 @@ < extrahd not configured < extrahd not mounted < hardware vulnerabilities +< hostile networks in +< hostile networks out < invalid ip or hostname +< log drop hostile in +< log drop hostile out < openvpn cert expires soon < openvpn cert has expired < reiserfs warning1 @@ -138,6 +146,10 @@ < extrahd not mounted < g.dtm < g.lite +< hostile networks in +< hostile networks out +< log drop hostile in +< log drop hostile out < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -361,7 +373,8 @@ < guaranteed bandwidth < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -464,6 +477,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -880,7 +895,8 @@ < generate ptr < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -985,6 +1001,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -1704,7 +1722,8 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -1819,6 +1838,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -2695,7 +2716,8 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < hour-graph < ids add provider < ids adjust ruleset @@ -2812,6 +2834,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -3280,7 +3304,8 @@ < fw red < generate ptr < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -3368,6 +3393,8 @@ < legacy architecture warning < link-layer encapsulation < local ip address +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < meltdown < mitigated diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 16a3061b4..935217f0b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1409,7 +1409,8 @@ 'host deny' => 'list with denied hosts', 'host ip' => 'Host IP address', 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)', -'hostile networks' => 'Hostile networks', +'hostile networks in' => 'Hostile networks in', +'hostile networks out' => 'Hostile networks out', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname and domain already in use.', 'hostname cant be empty' => 'Hostname cannot be empty.', @@ -1686,6 +1687,8 @@ 'locationblock enable feature' => 'Enable Location based blocking:', 'locationblock flag' => 'Flag', 'log' => 'Log', +'log drop hostile in' => 'Log dropped packets FROM hostile networks', +'log drop hostile out' => 'Log dropped packets TO hostile networks', 'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking', 'log enabled' => 'Log Enabled', 'log level' => 'Log Level', From patchwork Sun Jan 21 11:45:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7476 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4m2kSQz3wmD for ; Sun, 21 Jan 2024 11:46:16 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4k1Jy7z22G; Sun, 21 Jan 2024 11:46:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4k0lNLz307F; Sun, 21 Jan 2024 11:46:14 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4W30tXz300V for ; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4W1Sp4zq1; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ug8Lc3/F961jEPXh1JMJzuliCY9OJBA0gRJzifT1J5k=; b=DM2LWfz830lQRT5JususCpKDp0AwearszdKURv0+9R9EKgF61gFXJowtdihou30LKSi8xs 5s6XhOX2rVFnKeBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ug8Lc3/F961jEPXh1JMJzuliCY9OJBA0gRJzifT1J5k=; b=VuYEHFzCFsHA42/nJ8Nc6arqlrb0nQMD8ORMf+KleATv3jzTkCfb8PHVKs3LX+Wt3IRCOi JhVPlLgj0GIRFmh8nVdTc9Br/pzHWDa2cpVvIIV4de2AZi04QYqWT7FO5nl84Cs+bdp4JG 7NGLcdRG0eDQXlI+Dw8K7enWQKSCN6hhLSwxAga2KlifEcABhyCinHglsheCq7Noh6xbuy xkBLu2ewvcU7IicJctJoCxB4NL5O3FjU7xDfcZ0ByjAvsvKIdCXJkMNZC102Y/YPpKVWnp SXd2nXQ6FuEB36X3cMtRqNYZzkdkrX7vqnPapoHPbhOjRn3QSk5AihehdyKtOg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 5/7] collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection Date: Sun, 21 Jan 2024 12:45:51 +0100 Message-ID: <20240121114553.5182-5-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 65O6NDZKTEFZED2UV6LMH2RSHY6D75DK X-Message-ID-Hash: 65O6NDZKTEFZED2UV6LMH2RSHY6D75DK X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - In this v3 version of the patch set the splitting of drop hostile logging into incoming and outgoing logging means that the data collection and graphs need to have drop hostile also split into incoming and outgoing. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/collectd/collectd.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 4ef34ea07..cc49f0ba7 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -51,7 +51,8 @@ include "/etc/collectd.precache" Chain filter POLICYOUT DROP_OUTPUT Chain filter POLICYIN DROP_INPUT Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN - Chain filter HOSTILE_DROP DROP_HOSTILE + Chain filter HOSTILE_DROP_IN DROP_HOSTILE + Chain filter HOSTILE_DROP_OUT DROP_HOSTILE # From patchwork Sun Jan 21 11:45:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7477 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4n2JFHz3wyG for ; Sun, 21 Jan 2024 11:46:17 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4k3D84z2Xl; Sun, 21 Jan 2024 11:46:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4k2gjvz304Y; Sun, 21 Jan 2024 11:46:14 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4W4bdbz300l for ; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4W306kzmr; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QsRYVCzMTMohanDjnyF147CjAv1js88BpiFRlq2riNI=; b=eZl9sdUzOf6Ts78h4DQkbbvj7KuzEVCcYmp1czAeFW9+ITfOUoRFacnn2ASDXaXBaQKV/u zmZjr2aguq5iggAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=QsRYVCzMTMohanDjnyF147CjAv1js88BpiFRlq2riNI=; b=Y+ybR//PDDeuxtpS9QzEkh4p4vRy9ql5YGxWZ1GGffAfyJ7iXNccjlcyjXuds2DDhj0Mww LInacLz5hENZdQ8bFy+9As7M4wUKN1n7CJKQ2qhJqi6RGN1dbrzqmcUdkzygh6FUAAbFrE N0PX+OjLT5SFlmbbWs35GC14HE84tqhrVR2FRr/E2xJHTV+S6yf78JoH0UFzffoFnBppil ygo5mlG73vrXPkY3tpm78WHLYxwfnfrdZ2qWyniGbTbQjsZwIp4IPQv3Yoy8iaHlO5DDNy n4WwZ7xb7Nszp24msRXKmqzPiRXKN9w5KgmuZw/iqYR7RiptJNyKIPGgecjNMw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 6/7] graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries Date: Sun, 21 Jan 2024 12:45:52 +0100 Message-ID: <20240121114553.5182-6-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: S7HTIQXEZZ3FODND3WCQ2LGFJNZSKCMG X-Message-ID-Hash: S7HTIQXEZZ3FODND3WCQ2LGFJNZSKCMG X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - This v3 version of the patch set splits the single hostile networks graph entry into incoming hostile networks and outgoing hostile networks entries. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/cfgroot/graphs.pl | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 9803dd124..f527447b5 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -693,7 +693,8 @@ sub updatefwhitsgraph { "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE", - "DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), @@ -729,11 +730,16 @@ sub updatefwhitsgraph { "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps", "GPRINT:spoofedmartian:MIN:%8.1lf %sBps", "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j", - "STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}), - "GPRINT:hostile:MAX:%8.1lf %sBps", - "GPRINT:hostile:AVERAGE:%8.1lf %sBps", - "GPRINT:hostile:MIN:%8.1lf %sBps", - "GPRINT:hostile:LAST:%8.1lf %sBps\\j", + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}), + "GPRINT:hostilein:MAX:%8.1lf %sBps", + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps", + "GPRINT:hostilein:MIN:%8.1lf %sBps", + "GPRINT:hostilein:LAST:%8.1lf %sBps\\j", + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}), + "GPRINT:hostileout:MAX:%8.1lf %sBps", + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps", + "GPRINT:hostileout:MIN:%8.1lf %sBps", + "GPRINT:hostileout:LAST:%8.1lf %sBps\\j", ); $ERROR = RRDs::error; return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR; From patchwork Sun Jan 21 11:45:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7478 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4THs4p0FjHz3xPl for ; Sun, 21 Jan 2024 11:46:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4THs4k6DG1z2s7; Sun, 21 Jan 2024 11:46:14 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4THs4k4W0Bz303X; Sun, 21 Jan 2024 11:46:14 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4THs4W663nz303c for ; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4THs4W4cnnzFD; Sun, 21 Jan 2024 11:46:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gzi6SkG5AIJNQ3Wv3ZVFFfJM5WrWgJcSYcpUQbaJ/SM=; b=jHcFgPPLcLuhxkUxuKRbL4nW3gQMixkiQK0+7wuIjINe9/thFD5lqYlDCzgX44zuBc00Yp 9QtbWuUCYRtathAA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1705837563; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gzi6SkG5AIJNQ3Wv3ZVFFfJM5WrWgJcSYcpUQbaJ/SM=; b=r1JkIJVq8zCHk0X+LxYrCBTsxcYekeKvQqosVL8x1jcgOm0DTrnlIcOViqtf7Sa/InAntz /Mr/XOPoZ/Z7y1wFXwy0xHKJAriR7oBzkdGgaC7Tm7PPWGYNzgXIfaGyb+01Ub51ej8xnw gJTl6cmYpQ3Ytl+4GWn2rsTQvYek1OznbHbVAplKMeOfh0g1gKUlJQ4ExuccGjPGEaD42B 0x+hAaE9Qgg3R8cgehpOa86gc9jt27NjnsaAxX9j2QmDJBHGmoYLuPrfU52xPq+POs+oBn N6ljXgsolhAahLEa1/qT1hYOwMOk9pj39ZGp2K5EL1szJcNNYb79/kjnBxplJw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v3 7/7] optionsfw.cgi: Move Firewall Options Drop commands to before the logging section Date: Sun, 21 Jan 2024 12:45:53 +0100 Message-ID: <20240121114553.5182-7-adolf.belka@ipfire.org> In-Reply-To: <20240121114553.5182-1-adolf.belka@ipfire.org> References: <20240121114553.5182-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: ZUMVJD4W4R4MODGS7ZAA4HK6GTLURNCZ X-Message-ID-Hash: ZUMVJD4W4R4MODGS7ZAA4HK6GTLURNCZ X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Moved the Firewall Options Drop commands to before the logging section, as discussed at January 2024 Video Call. Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/optionsfw.cgi | 47 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 52ac1b01e..60b1bdd91 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -224,6 +224,29 @@ END
+ + + + + + + + +
$Lang::tr{'fw red'}
$Lang::tr{'drop hostile'} + $Lang::tr{'on'} / + $Lang::tr{'off'} +
+
+ + + + + +
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / + $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / + $Lang::tr{'off'}
+
+ @@ -308,28 +331,6 @@ END
$Lang::tr{'fw logging'}

- - - - - - - - -
$Lang::tr{'fw red'}
$Lang::tr{'drop hostile'} - $Lang::tr{'on'} / - $Lang::tr{'off'} -
-
- - - - - -
$Lang::tr{'fw blue'}
$Lang::tr{'drop proxy'}$Lang::tr{'on'} / - $Lang::tr{'off'}
$Lang::tr{'drop samba'}$Lang::tr{'on'} / - $Lang::tr{'off'}
-
$Lang::tr{'fw settings'}
$Lang::tr{'fw settings color'}$Lang::tr{'on'} /