From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 2/3] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic
Date: Wed, 27 Dec 2023 13:49:03 +0100 [thread overview]
Message-ID: <5607b76a-a885-493f-98b8-37f253e9e759@ipfire.org> (raw)
In-Reply-To: <e2a87fdc-48b1-483b-ab58-8b85166c6817@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2469 bytes --]
Hi Matthias,
On 27/12/2023 02:21, Matthias Fischer wrote:
> Hi Adolf,
>
> I tested and I'd suggest to place the if-loop a few lines higher - under
> the 'Firewall logging'-section.
>
> I inserted your code at line ~289ff, right under DROPSPOOFEDMARTIAN.
>
> And now it looks as in the screenshot.
I did that location in my first patch build. I changed it to the one I submitted as this log selection is tied to the only firewall command that can be turned on or off for the drop. So I thought it made more sense to be directly linked with the drop hostile selection command.
However I am happy in either case.
During the night I thought that maybe the log selection should be greyed out if the drop hostile was set to off as there is no point in trying to log or not log a command that is not doing any dropping.
Then this morning I thought maybe this drop hostile command has been around now for long enough that we don't need to have it turned off by default for updates. Maybe this command should, like for example DROP CTINVALID etc, occur by default. In that case the selection of DROP_HOSTILE would no longer occur and the LOG_DROP_HOSTILE could then go with the other logging decision options.
I will put this question into the next video conf call on 8th January.
Regards,
Adolf.
>
> jm2c ;-)
>
> Best,
> Matthias
>
> On 26.12.2023 20:46, Adolf Belka wrote:
>> - Dependent on the choice in optionsfw.cgi this loop will either log or not log the
>> dropped hostile traffic.
>>
>> Fixes: bug12981
>> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
>> ---
>> src/initscripts/system/firewall | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
>> index 50f2b3e02..352ae2496 100644
>> --- a/src/initscripts/system/firewall
>> +++ b/src/initscripts/system/firewall
>> @@ -177,7 +177,9 @@ iptables_init() {
>> iptables -A OUTPUT -j HOSTILE
>>
>> iptables -N HOSTILE_DROP
>> - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
>> + if [ "$LOGDROPHOSTILE" == "on" ]; then
>> + iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
>> + fi
>> iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
>>
>> # IP Address Blocklist chains
next parent reply other threads:[~2023-12-27 12:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <e2a87fdc-48b1-483b-ab58-8b85166c6817@ipfire.org>
2023-12-27 12:49 ` Adolf Belka [this message]
2023-12-26 19:46 [PATCH 1/3] optionsfw.cgi: Fix bug12981 - Add option " Adolf Belka
2023-12-26 19:46 ` [PATCH 2/3] firewall: Fixes bug12981 - add if loop " Adolf Belka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5607b76a-a885-493f-98b8-37f253e9e759@ipfire.org \
--to=adolf.belka@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox