From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] CU184-update.sh: Add drop hostile in & out logging entries Date: Mon, 18 Mar 2024 18:19:29 +0100 Message-ID: <0bf1deb4-9ead-4e55-8b3a-ad23ba2f3868@ipfire.org> In-Reply-To: <7407135D-7959-45F3-9E79-2D9C64966616@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1289452263088721440==" List-Id: --===============1289452263088721440== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 18/03/2024 17:15, Michael Tremer wrote: > I would rather like to solve this programmatically in the updater for c185. >=20 > Can we not add the value if we don=E2=80=99t find it in the configuration f= ile? >=20 That seems so obvious to me now but I didn't think of it. Thanks for the=20 suggestion. Yes, we can check if both entries are missing and if they are, then run=20 the same commands as I put into the CU184 update.sh script. I will submit a patch for the CU185 update.sh to add this into it. Regards, Adolf. > -Michael >=20 >> On 18 Mar 2024, at 11:10, Adolf Belka wrote: >> >> Hi Michael, >> >> On 18/03/2024 11:15, Michael Tremer wrote: >>> Hallo Adolf, >>> Okay. I have merged this and as soon as the build is done I will push the= new update out. >>> What are we doing with the people who have already installed the update? >> >> The positive thing is that if they had drop hostile enabled in the previou= s version then that will stay in place. >> >> However, the logging will not occur. On the WUI page it will show as enabl= ed to log but as the values were not saved into the settings file they are tr= eated as disabled. >> >> The way to solve this for people affected is to press the Save button on t= he WUI page and do a reboot. >> >> The only way to deal with this that I can see is to maybe do a blog post o= n it. That fix has been noted in the forum on the post from Roberto who noted= that drop hostile traffic was being blocked but there were no log entries. >> Of course I will keep an eye out on all forum posts to see if any other pe= ople notice that there is no logging and let them know the solution. >> >> Are there any other approaches that you can think of? >> >> Regards, >> >> Adolf. >>> -Michael >>>> On 16 Mar 2024, at 09:32, Adolf Belka wrote: >>>> >>>> - My drop hostile patch set updated the WUI entries to include in and ou= t logging options >>>> but the values need to be added to the optionsfw entries for existing= systems being >>>> upgraded. >>>> - After the existing CU184 update the LOGDROPHOSTILEIN and LOGDROPHO)STI= LEOUT entries >>>> are not in the settings file which trewats them as being set to off, = even though they >>>> are enabled in the WUI update. >>>> - This patch adds the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries int= o the settings >>>> file and then runs the firewallctrl command to apply to the firewall. >>>> - Ran a CU184 update on a CU183 vm system and then ran the comands added= into the update.sh >>>> script and then did a reboot. Entries include and DROP_HOSTILE entrie= s start to be >>>> logged again. >>>> >>>> Tested-by: Adolf Belka >>>> Signed-off-by: Adolf Belka >>>> --- >>>> config/rootfiles/core/184/update.sh | 6 ++++++ >>>> 1 file changed, 6 insertions(+) >>>> >>>> diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core= /184/update.sh >>>> index aa593047d..1a0e67c66 100644 >>>> --- a/config/rootfiles/core/184/update.sh >>>> +++ b/config/rootfiles/core/184/update.sh >>>> @@ -80,6 +80,12 @@ xz --check=3Dcrc32 --lzma2=3Ddict=3D512KiB /lib/modul= es/6.6.15-ipfire/extra/wlan/8812a >>>> # Apply local configuration to sshd_config >>>> /usr/local/bin/sshctrl >>>> >>>> +# Add the drop hostile in and out logging options >>>> +# into the optionsfw settings file and apply to firewall >>>> +sed -i '$ a\LOGDROPHOSTILEIN=3Don' /var/ipfire/optionsfw/settings >>>> +sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settings >>>> +/usr/local/bin/firewallctrl >>>> + >>>> # Start services >>>> telinit u >>>> /etc/init.d/vnstat start >>>> --=20 >>>> 2.44.0 >>>> >> >> --=20 >> Sent from my laptop >=20 >=20 --=20 Sent from my laptop --===============1289452263088721440==--