From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] CU184-update.sh: Add drop hostile in & out logging entries Date: Mon, 18 Mar 2024 12:10:44 +0100 Message-ID: <0a5210dc-9330-466d-8d3f-360ac72721c7@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2806065584189645625==" List-Id: --===============2806065584189645625== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 18/03/2024 11:15, Michael Tremer wrote: > Hallo Adolf, >=20 > Okay. I have merged this and as soon as the build is done I will push the n= ew update out. >=20 > What are we doing with the people who have already installed the update? The positive thing is that if they had drop hostile enabled in the=20 previous version then that will stay in place. However, the logging will not occur. On the WUI page it will show as=20 enabled to log but as the values were not saved into the settings file=20 they are treated as disabled. The way to solve this for people affected is to press the Save button on=20 the WUI page and do a reboot. The only way to deal with this that I can see is to maybe do a blog post=20 on it. That fix has been noted in the forum on the post from Roberto who=20 noted that drop hostile traffic was being blocked but there were no log=20 entries. Of course I will keep an eye out on all forum posts to see if any other=20 people notice that there is no logging and let them know the solution. Are there any other approaches that you can think of? Regards, Adolf. >=20 > -Michael >=20 >> On 16 Mar 2024, at 09:32, Adolf Belka wrote: >> >> - My drop hostile patch set updated the WUI entries to include in and out = logging options >> but the values need to be added to the optionsfw entries for existing s= ystems being >> upgraded. >> - After the existing CU184 update the LOGDROPHOSTILEIN and LOGDROPHO)STILE= OUT entries >> are not in the settings file which trewats them as being set to off, ev= en though they >> are enabled in the WUI update. >> - This patch adds the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries into = the settings >> file and then runs the firewallctrl command to apply to the firewall. >> - Ran a CU184 update on a CU183 vm system and then ran the comands added i= nto the update.sh >> script and then did a reboot. Entries include and DROP_HOSTILE entries = start to be >> logged again. >> >> Tested-by: Adolf Belka >> Signed-off-by: Adolf Belka >> --- >> config/rootfiles/core/184/update.sh | 6 ++++++ >> 1 file changed, 6 insertions(+) >> >> diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core/1= 84/update.sh >> index aa593047d..1a0e67c66 100644 >> --- a/config/rootfiles/core/184/update.sh >> +++ b/config/rootfiles/core/184/update.sh >> @@ -80,6 +80,12 @@ xz --check=3Dcrc32 --lzma2=3Ddict=3D512KiB /lib/modules= /6.6.15-ipfire/extra/wlan/8812a >> # Apply local configuration to sshd_config >> /usr/local/bin/sshctrl >> >> +# Add the drop hostile in and out logging options >> +# into the optionsfw settings file and apply to firewall >> +sed -i '$ a\LOGDROPHOSTILEIN=3Don' /var/ipfire/optionsfw/settings >> +sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settings >> +/usr/local/bin/firewallctrl >> + >> # Start services >> telinit u >> /etc/init.d/vnstat start >> --=20 >> 2.44.0 >> >=20 --=20 Sent from my laptop --===============2806065584189645625==--