From mboxrd@z Thu Jan  1 00:00:00 1970
From: Bernhard Bitsch <bbitsch@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v3 3/7] firewall: Fixes bug12981 - add if loop to log or
 not log dropped hostile traffic
Date: Mon, 22 Jan 2024 11:51:06 +0100
Message-ID: <4e00a94f-6e95-413f-85e7-fc7b1df9e692@ipfire.org>
In-Reply-To: <20240121114553.5182-3-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1497496836709115456=="
List-Id: <development.lists.ipfire.org>

--===============1497496836709115456==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>

Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This v3 version now has two if loops allowing logging of incoming drop ho=
stile or
>     outgoing drop hostile or both or neither.
> - Dependent on the choice in optionsfw.cgi this loop will either log or not=
 log the
>     dropped hostile traffic.
>=20
> Fixes: bug12981
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   src/initscripts/system/firewall | 15 ++++++++++++---
>   1 file changed, 12 insertions(+), 3 deletions(-)
>=20
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firew=
all
> index 50f2b3e02..840ae3150 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -176,9 +176,18 @@ iptables_init() {
>   	iptables -A FORWARD -j HOSTILE
>   	iptables -A OUTPUT -j HOSTILE
>  =20
> -	iptables -N HOSTILE_DROP
> -	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "=
DROP_HOSTILE "
> -	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
> +	iptables -N HOSTILE_DROP_IN
> +	if [ "$LOGDROPHOSTILEIN" =3D=3D "on" ]; then
> +		iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-pref=
ix "DROP_HOSTILE "
> +	fi
> +	iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE"
> +
> +	iptables -N HOSTILE_DROP_OUT
> +	if [ "$LOGDROPHOSTILEOUT" =3D=3D "on" ]; then
> +		iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-pre=
fix "DROP_HOSTILE "
> +	fi
> +	iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE"
> +
>  =20
>   	# IP Address Blocklist chains
>   	iptables -N BLOCKLISTIN

--===============1497496836709115456==--