From patchwork Sat Mar 16 09:32:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7642 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4TxbWj2W2Wz3wkd for ; Sat, 16 Mar 2024 09:33:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4TxbWg6BGmzrH; Sat, 16 Mar 2024 09:33:03 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4TxbWg42Hyz32mv; Sat, 16 Mar 2024 09:33:03 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4TxbWc5P25z2xjg for ; Sat, 16 Mar 2024 09:33:00 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4TxbWb6msRznn; Sat, 16 Mar 2024 09:32:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1710581580; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Kyd/ZjLhgkrXRxyUAP+WAYPo+oQInWHLfESAalKCPDk=; b=q8XnrVVVaEhFmsivQHgzE7in1N8uZBOzEYBD5JCdVOs9Yr5gRjcBHjLQjgc/tsJlM0/vc0 i3ZsEhnw1pPGvVCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1710581580; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=Kyd/ZjLhgkrXRxyUAP+WAYPo+oQInWHLfESAalKCPDk=; b=X1YIf8toUaTlZK2D5LyOD/m61r/5bYq1ZJ+r8E8/P2eDXhal0slVPPvV1yUhPTbsJGbfi2 hDezy//x/g2wGdTp9WjRfQXil7P5YzgVuJkA6zZgWbLYIFF5uqkN/ukNqBOOmpeiWWcTMM 6q0NrqtWxjW9up4Dx3gZkAFFkfbJPleLBsfzXA9OTox/WNtl/5yP3aI1Zn74n2XJBxrNi9 Wfpw5gRxWN+CqdYtXw1TPrvAItOOLDnBhWrMDo2yu1jV4LWPLVeT7WYotb/hfhQBELiBVi /az/g3E85iJA5+w1ixbVAb0oXW4kuz+wTvIVsj6w2NTPYlc/lS/Hr2etI5lHAQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] CU184-update.sh: Add drop hostile in & out logging entries Date: Sat, 16 Mar 2024 10:32:54 +0100 Message-ID: <20240316093254.8643-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 4RBGD3FXFHK3IKHDERCNC2VQLDXIELKV X-Message-ID-Hash: 4RBGD3FXFHK3IKHDERCNC2VQLDXIELKV X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - My drop hostile patch set updated the WUI entries to include in and out logging options but the values need to be added to the optionsfw entries for existing systems being upgraded. - After the existing CU184 update the LOGDROPHOSTILEIN and LOGDROPHO)STILEOUT entries are not in the settings file which trewats them as being set to off, even though they are enabled in the WUI update. - This patch adds the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries into the settings file and then runs the firewallctrl command to apply to the firewall. - Ran a CU184 update on a CU183 vm system and then ran the comands added into the update.sh script and then did a reboot. Entries include and DROP_HOSTILE entries start to be logged again. Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/rootfiles/core/184/update.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core/184/update.sh index aa593047d..1a0e67c66 100644 --- a/config/rootfiles/core/184/update.sh +++ b/config/rootfiles/core/184/update.sh @@ -80,6 +80,12 @@ xz --check=crc32 --lzma2=dict=512KiB /lib/modules/6.6.15-ipfire/extra/wlan/8812a # Apply local configuration to sshd_config /usr/local/bin/sshctrl +# Add the drop hostile in and out logging options +# into the optionsfw settings file and apply to firewall +sed -i '$ a\LOGDROPHOSTILEIN=on' /var/ipfire/optionsfw/settings +sed -i '$ a\LOGDROPHOSTILEOUT=on' /var/ipfire/optionsfw/settings +/usr/local/bin/firewallctrl + # Start services telinit u /etc/init.d/vnstat start