From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] firewall: Add proper logging prefix for conntrack INVALID hits
Date: Fri, 18 Feb 2022 08:22:23 +0000
Message-ID: <4CB0B37B-81BA-4A08-828D-35EA573C4F74@ipfire.org>
In-Reply-To: <ae96eb9906f2afb2b8a3bcd5aae61e42@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1621655581225881521=="
List-Id: <development.lists.ipfire.org>

--===============1621655581225881521==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Arne,

> On 18 Feb 2022, at 06:57, Arne Fitzenreiter <arne_f(a)ipfire.org> wrote:
>=20
> Hi Peter,
>=20
> i ack that this fixes the empty loglines but i have seen an other problem w=
ith dropping all "invalid" packets.
> The ICMP reject messages if something is not allowed has --ctstate INVALID =
and should processed.

No this is correct. Peter=E2=80=99s patches are not changing this behaviour. =
We have been dropping those packets since forever.

Peter=E2=80=99s patches only add that we log them now which might be helpful =
finding any networking problems.

> Also i miss a switch to disable the logging.

Why?

-Michael

> Arne
>=20
>=20
> Am 2022-02-17 21:16, schrieb Peter M=C3=BCller:
>> Fixes: #12778
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
>> ---
>> src/initscripts/system/firewall | 6 +++++-
>> 1 file changed, 5 insertions(+), 1 deletion(-)
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fire=
wall
>> index fc355cd5d..2f4b4e30e 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -119,9 +119,13 @@ iptables_init() {
>> 	iptables -A FORWARD -p tcp -j BADTCP
>> 	# Connection tracking chains
>> +	iptables -N CTINVALID
>> +	iptables -A CTINVALID  -m limit --limit 10/second -j LOG
>> --log-prefix "DROP_CTINVALID "
>> +	iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
>> +
>> 	iptables -N CONNTRACK
>> 	iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED -j ACCEPT
>> -	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j LOG_DROP
>> +	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j CTINVALID
>> 	iptables -A CONNTRACK -p icmp -m conntrack --ctstate RELATED -j ACCEPT
>> 	# Restore any connection marks


--===============1621655581225881521==--