[PATCH 1/3] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

[PATCH 1/3] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1912 bytes --]

- Added option with drop hostile section to decide if the dropped traffic should be
   logged or not.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index fbff67b2f..4b2b8ef91 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -94,6 +94,9 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) {
 if (!$settings{'DROPHOSTILE'}) {
 	$settings{'DROPHOSTILE'} = 'off';
 }
+if (!$settings{'LOGDROPHOSTILE'}) {
+	$settings{'LOGDROPHOSTILE'} = 'on';
+}
 if (!$settings{'LOGDROPCTINVALID'}) {
 	$settings{'LOGDROPCTINVALID'} = 'on';
 }
@@ -125,6 +128,9 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
 $checked{'DROPHOSTILE'}{'off'} = '';
 $checked{'DROPHOSTILE'}{'on'} = '';
 $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILE'}{'off'} = '';
+$checked{'LOGDROPHOSTILE'}{'on'} = '';
+$checked{'LOGDROPHOSTILE'}{$settings{'LOGDROPHOSTILE'}} = "checked='checked'";
 $checked{'LOGDROPCTINVALID'}{'off'} = '';
 $checked{'LOGDROPCTINVALID'}{'on'} = '';
 $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
@@ -293,6 +299,13 @@ END
 			<input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
 		</td>
 	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILE' value='on' $checked{'LOGDROPHOSTILE'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILE' value='off' $checked{'LOGDROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
 </table>
 <br>
 
-- 
2.43.0

[PATCH 2/3] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
   dropped hostile traffic.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 src/initscripts/system/firewall | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 50f2b3e02..352ae2496 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -177,7 +177,9 @@ iptables_init() {
 	iptables -A OUTPUT -j HOSTILE
 
 	iptables -N HOSTILE_DROP
-	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	if [ "$LOGDROPHOSTILE" == "on" ]; then
+		iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	fi
 	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
 
 	# IP Address Blocklist chains
-- 
2.43.0

[PATCH 3/3] en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 10778 bytes --]

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 doc/language_issues.de | 1 +
 doc/language_issues.en | 1 +
 doc/language_issues.es | 1 +
 doc/language_issues.fr | 1 +
 doc/language_issues.it | 1 +
 doc/language_issues.nl | 1 +
 doc/language_issues.pl | 1 +
 doc/language_issues.ru | 1 +
 doc/language_issues.tr | 1 +
 doc/language_missings  | 8 ++++++++
 langs/en/cgi-bin/en.pl | 1 +
 11 files changed, 18 insertions(+)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4fd5a0819..cb8e5b16d 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -929,6 +929,7 @@ WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS
 WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b4327cb78..0fc63ca96 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1247,6 +1247,7 @@ WARNING: untranslated string: locationblock country is allowed = Incoming traffi
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
 WARNING: untranslated string: log = Log
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log lines per page = Lines per page
 WARNING: untranslated string: log server address = Syslog server:
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 45ffdf5d7..eca4efa68 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -991,6 +991,7 @@ WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: openvpn cert expires soon = Expires Soon
 WARNING: untranslated string: openvpn cert has expired = Expired
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index cacfb1ec6..a4fca67ea 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -947,6 +947,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 68ff12c86..63d1aee15 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1159,6 +1159,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index d1a637215..85086e48d 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1166,6 +1166,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 893f73211..8fd00f03a 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1315,6 +1315,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: mac filter = MAC filter
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 64c9b5095..05fac8a9e 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1313,6 +1313,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: mac filter = MAC filter
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eadbd33c7..e0b04e947 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1089,6 +1089,7 @@ WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: meltdown = Meltdown
 WARNING: untranslated string: mitigated = Mitigated
diff --git a/doc/language_missings b/doc/language_missings
index 28ae29c2b..cfa9ee461 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -66,6 +66,7 @@
 < ipsec invalid ip address or fqdn for rw endpoint
 < ipsec roadwarrior endpoint
 < link-layer encapsulation
+< log drop hostile
 < netbios nameserver daemon
 < no entries
 < notes
@@ -115,6 +116,7 @@
 < extrahd not mounted
 < hardware vulnerabilities
 < invalid ip or hostname
+< log drop hostile
 < openvpn cert expires soon
 < openvpn cert has expired
 < reiserfs warning1
@@ -138,6 +140,7 @@
 < extrahd not mounted
 < g.dtm
 < g.lite
+< log drop hostile
 < reiserfs warning1
 < reiserfs warning2
 < spec rstack overflow
@@ -464,6 +467,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < masquerade blue
@@ -985,6 +989,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < masquerade blue
@@ -1819,6 +1824,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < mac filter
@@ -2812,6 +2818,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < mac filter
@@ -3368,6 +3375,7 @@
 < legacy architecture warning
 < link-layer encapsulation
 < local ip address
+< log drop hostile
 < log dropped conntrack invalids
 < meltdown
 < mitigated
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 16a3061b4..4731613b2 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1686,6 +1686,7 @@
 'locationblock enable feature' => 'Enable Location based blocking:',
 'locationblock flag' => 'Flag',
 'log' => 'Log',
+'log drop hostile' => 'Log dropped packets from and to hostile networks',
 'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking',
 'log enabled' => 'Log Enabled',
 'log level' => 'Log Level',
-- 
2.43.0

Re: [PATCH 2/3] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2469 bytes --]

Hi Matthias,

On 27/12/2023 02:21, Matthias Fischer wrote:
> Hi Adolf,
> 
> I tested and I'd suggest to place the if-loop a few lines higher - under
> the 'Firewall logging'-section.
> 
> I inserted your code at line ~289ff, right under DROPSPOOFEDMARTIAN.
> 
> And now it looks as in the screenshot.

I did that location in my first patch build. I changed it to the one I submitted as this log selection is tied to the only firewall command that can be turned on or off for the drop. So I thought it made more sense to be directly linked with the drop hostile selection command.

However I am happy in either case.

During the night I thought that maybe the log selection should be greyed out if the drop hostile was set to off as there is no point in trying to log or not log a command that is not doing any dropping.

Then this morning I thought maybe this drop hostile command has been around now for long enough that we don't need to have it turned off by default for updates. Maybe this command should, like for example DROP CTINVALID etc, occur by default. In that case the selection of DROP_HOSTILE would no longer occur and the LOG_DROP_HOSTILE could then go with the other logging decision options.

I will put this question into the next video conf call on 8th January.

Regards,

Adolf.

> 
> jm2c ;-)
> 
> Best,
> Matthias
> 
> On 26.12.2023 20:46, Adolf Belka wrote:
>> - Dependent on the choice in optionsfw.cgi this loop will either log or not log the
>>     dropped hostile traffic.
>>
>> Fixes: bug12981
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>>   src/initscripts/system/firewall | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 50f2b3e02..352ae2496 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -177,7 +177,9 @@ iptables_init() {
>>   	iptables -A OUTPUT -j HOSTILE
>>   
>>   	iptables -N HOSTILE_DROP
>> -	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
>> +	if [ "$LOGDROPHOSTILE" == "on" ]; then
>> +		iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
>> +	fi
>>   	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
>>   
>>   	# IP Address Blocklist chains