[PATCH v2 1/4] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

[PATCH v2 1/4] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1927 bytes --]

- Added option with drop hostile section to decide if the dropped traffic should be
   logged or not.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index fbff67b2f..a2a0058f7 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -94,6 +94,9 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) {
 if (!$settings{'DROPHOSTILE'}) {
 	$settings{'DROPHOSTILE'} = 'off';
 }
+if (!$settings{'LOGDROPHOSTILE'}) {
+	$settings{'LOGDROPHOSTILE'} = 'on';
+}
 if (!$settings{'LOGDROPCTINVALID'}) {
 	$settings{'LOGDROPCTINVALID'} = 'on';
 }
@@ -125,6 +128,9 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
 $checked{'DROPHOSTILE'}{'off'} = '';
 $checked{'DROPHOSTILE'}{'on'} = '';
 $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILE'}{'off'} = '';
+$checked{'LOGDROPHOSTILE'}{'on'} = '';
+$checked{'LOGDROPHOSTILE'}{$settings{'LOGDROPHOSTILE'}} = "checked='checked'";
 $checked{'LOGDROPCTINVALID'}{'off'} = '';
 $checked{'LOGDROPCTINVALID'}{'on'} = '';
 $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
@@ -279,6 +285,13 @@ END
 			<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
 		</td>
 	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILE' value='on' $checked{'LOGDROPHOSTILE'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILE' value='off' $checked{'LOGDROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
 </table>
 <br/>
 
-- 
2.43.0

[PATCH v2 2/4] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 988 bytes --]

- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
   dropped hostile traffic.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 src/initscripts/system/firewall | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 50f2b3e02..352ae2496 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -177,7 +177,9 @@ iptables_init() {
 	iptables -A OUTPUT -j HOSTILE
 
 	iptables -N HOSTILE_DROP
-	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	if [ "$LOGDROPHOSTILE" == "on" ]; then
+		iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	fi
 	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
 
 	# IP Address Blocklist chains
-- 
2.43.0

[PATCH v2 3/4] en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 10778 bytes --]

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 doc/language_issues.de | 1 +
 doc/language_issues.en | 1 +
 doc/language_issues.es | 1 +
 doc/language_issues.fr | 1 +
 doc/language_issues.it | 1 +
 doc/language_issues.nl | 1 +
 doc/language_issues.pl | 1 +
 doc/language_issues.ru | 1 +
 doc/language_issues.tr | 1 +
 doc/language_missings  | 8 ++++++++
 langs/en/cgi-bin/en.pl | 1 +
 11 files changed, 18 insertions(+)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4fd5a0819..cb8e5b16d 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -929,6 +929,7 @@ WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS
 WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b4327cb78..0fc63ca96 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1247,6 +1247,7 @@ WARNING: untranslated string: locationblock country is allowed = Incoming traffi
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
 WARNING: untranslated string: log = Log
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log lines per page = Lines per page
 WARNING: untranslated string: log server address = Syslog server:
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 45ffdf5d7..eca4efa68 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -991,6 +991,7 @@ WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: openvpn cert expires soon = Expires Soon
 WARNING: untranslated string: openvpn cert has expired = Expired
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index cacfb1ec6..a4fca67ea 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -947,6 +947,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 68ff12c86..63d1aee15 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1159,6 +1159,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index d1a637215..85086e48d 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1166,6 +1166,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 893f73211..8fd00f03a 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1315,6 +1315,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: mac filter = MAC filter
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 64c9b5095..05fac8a9e 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1313,6 +1313,7 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: mac filter = MAC filter
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eadbd33c7..e0b04e947 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1089,6 +1089,7 @@ WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: log drop hostile = Log dropped packets from and to hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: meltdown = Meltdown
 WARNING: untranslated string: mitigated = Mitigated
diff --git a/doc/language_missings b/doc/language_missings
index 28ae29c2b..cfa9ee461 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -66,6 +66,7 @@
 < ipsec invalid ip address or fqdn for rw endpoint
 < ipsec roadwarrior endpoint
 < link-layer encapsulation
+< log drop hostile
 < netbios nameserver daemon
 < no entries
 < notes
@@ -115,6 +116,7 @@
 < extrahd not mounted
 < hardware vulnerabilities
 < invalid ip or hostname
+< log drop hostile
 < openvpn cert expires soon
 < openvpn cert has expired
 < reiserfs warning1
@@ -138,6 +140,7 @@
 < extrahd not mounted
 < g.dtm
 < g.lite
+< log drop hostile
 < reiserfs warning1
 < reiserfs warning2
 < spec rstack overflow
@@ -464,6 +467,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < masquerade blue
@@ -985,6 +989,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < masquerade blue
@@ -1819,6 +1824,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < mac filter
@@ -2812,6 +2818,7 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile
 < log dropped conntrack invalids
 < log server protocol
 < mac filter
@@ -3368,6 +3375,7 @@
 < legacy architecture warning
 < link-layer encapsulation
 < local ip address
+< log drop hostile
 < log dropped conntrack invalids
 < meltdown
 < mitigated
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 16a3061b4..4731613b2 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1686,6 +1686,7 @@
 'locationblock enable feature' => 'Enable Location based blocking:',
 'locationblock flag' => 'Flag',
 'log' => 'Log',
+'log drop hostile' => 'Log dropped packets from and to hostile networks',
 'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking',
 'log enabled' => 'Log Enabled',
 'log level' => 'Log Level',
-- 
2.43.0

[PATCH v2 4/4] optionsfw.cgi: Move Logging section to after all Firewall Options Drop commands

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3642 bytes --]

- Moved the Logging section to after all Firewall Options Drop commands as discussed
   at January 2024 Video Call.

Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 45 +++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 22 deletions(-)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index a2a0058f7..6f80f1901 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -218,6 +218,29 @@ END
 
 	<br>
 
+<table width='95%' cellspacing='0'>
+	<tr bgcolor='$color{'color20'}'>
+		<td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop hostile'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/
+			<input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+</table>
+<br>
+
+<table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
+</table>
+<br>
+
 <table width='95%' cellspacing='0'>
 	<tr bgcolor='$color{'color20'}'>
 		<td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td>
@@ -295,28 +318,6 @@ END
 </table>
 <br/>
 
-<table width='95%' cellspacing='0'>
-	<tr bgcolor='$color{'color20'}'>
-		<td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td>
-	</tr>
-	<tr>
-		<td align='left' width='60%'>$Lang::tr{'drop hostile'}</td>
-		<td align='left'>
-			$Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/
-			<input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
-		</td>
-	</tr>
-</table>
-<br>
-
-<table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
-																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
-																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br>
 <table width='95%' cellspacing='0'>
 <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
-- 
2.43.0