From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH 2/3] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic Date: Wed, 27 Dec 2023 13:49:03 +0100 Message-ID: <5607b76a-a885-493f-98b8-37f253e9e759@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2556177923835912497==" List-Id: --===============2556177923835912497== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Matthias, On 27/12/2023 02:21, Matthias Fischer wrote: > Hi Adolf, >=20 > I tested and I'd suggest to place the if-loop a few lines higher - under > the 'Firewall logging'-section. >=20 > I inserted your code at line ~289ff, right under DROPSPOOFEDMARTIAN. >=20 > And now it looks as in the screenshot. I did that location in my first patch build. I changed it to the one I submit= ted as this log selection is tied to the only firewall command that can be tu= rned on or off for the drop. So I thought it made more sense to be directly l= inked with the drop hostile selection command. However I am happy in either case. During the night I thought that maybe the log selection should be greyed out = if the drop hostile was set to off as there is no point in trying to log or n= ot log a command that is not doing any dropping. Then this morning I thought maybe this drop hostile command has been around n= ow for long enough that we don't need to have it turned off by default for up= dates. Maybe this command should, like for example DROP CTINVALID etc, occur = by default. In that case the selection of DROP_HOSTILE would no longer occur = and the LOG_DROP_HOSTILE could then go with the other logging decision option= s. I will put this question into the next video conf call on 8th January. Regards, Adolf. >=20 > jm2c ;-) >=20 > Best, > Matthias >=20 > On 26.12.2023 20:46, Adolf Belka wrote: >> - Dependent on the choice in optionsfw.cgi this loop will either log or no= t log the >> dropped hostile traffic. >> >> Fixes: bug12981 >> Tested-by: Adolf Belka >> Signed-off-by: Adolf Belka >> --- >> src/initscripts/system/firewall | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/fire= wall >> index 50f2b3e02..352ae2496 100644 >> --- a/src/initscripts/system/firewall >> +++ b/src/initscripts/system/firewall >> @@ -177,7 +177,9 @@ iptables_init() { >> iptables -A OUTPUT -j HOSTILE >> =20 >> iptables -N HOSTILE_DROP >> - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix = "DROP_HOSTILE " >> + if [ "$LOGDROPHOSTILE" =3D=3D "on" ]; then >> + iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix= "DROP_HOSTILE " >> + fi >> iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" >> =20 >> # IP Address Blocklist chains --===============2556177923835912497==--