From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] CU184-update.sh: Add drop hostile in & out logging entries Date: Mon, 18 Mar 2024 16:15:48 +0000 Message-ID: <7407135D-7959-45F3-9E79-2D9C64966616@ipfire.org> In-Reply-To: <0a5210dc-9330-466d-8d3f-360ac72721c7@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6314560484173948989==" List-Id: --===============6314560484173948989== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable I would rather like to solve this programmatically in the updater for c185. Can we not add the value if we don=E2=80=99t find it in the configuration fil= e? -Michael > On 18 Mar 2024, at 11:10, Adolf Belka wrote: >=20 > Hi Michael, >=20 > On 18/03/2024 11:15, Michael Tremer wrote: >> Hallo Adolf, >> Okay. I have merged this and as soon as the build is done I will push the = new update out. >> What are we doing with the people who have already installed the update? >=20 > The positive thing is that if they had drop hostile enabled in the previous= version then that will stay in place. >=20 > However, the logging will not occur. On the WUI page it will show as enable= d to log but as the values were not saved into the settings file they are tre= ated as disabled. >=20 > The way to solve this for people affected is to press the Save button on th= e WUI page and do a reboot. >=20 > The only way to deal with this that I can see is to maybe do a blog post on= it. That fix has been noted in the forum on the post from Roberto who noted = that drop hostile traffic was being blocked but there were no log entries. > Of course I will keep an eye out on all forum posts to see if any other peo= ple notice that there is no logging and let them know the solution. >=20 > Are there any other approaches that you can think of? >=20 > Regards, >=20 > Adolf. >> -Michael >>> On 16 Mar 2024, at 09:32, Adolf Belka wrote: >>>=20 >>> - My drop hostile patch set updated the WUI entries to include in and out= logging options >>> but the values need to be added to the optionsfw entries for existing s= ystems being >>> upgraded. >>> - After the existing CU184 update the LOGDROPHOSTILEIN and LOGDROPHO)STIL= EOUT entries >>> are not in the settings file which trewats them as being set to off, ev= en though they >>> are enabled in the WUI update. >>> - This patch adds the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries into= the settings >>> file and then runs the firewallctrl command to apply to the firewall. >>> - Ran a CU184 update on a CU183 vm system and then ran the comands added = into the update.sh >>> script and then did a reboot. Entries include and DROP_HOSTILE entries = start to be >>> logged again. >>>=20 >>> Tested-by: Adolf Belka >>> Signed-off-by: Adolf Belka >>> --- >>> config/rootfiles/core/184/update.sh | 6 ++++++ >>> 1 file changed, 6 insertions(+) >>>=20 >>> diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core/= 184/update.sh >>> index aa593047d..1a0e67c66 100644 >>> --- a/config/rootfiles/core/184/update.sh >>> +++ b/config/rootfiles/core/184/update.sh >>> @@ -80,6 +80,12 @@ xz --check=3Dcrc32 --lzma2=3Ddict=3D512KiB /lib/module= s/6.6.15-ipfire/extra/wlan/8812a >>> # Apply local configuration to sshd_config >>> /usr/local/bin/sshctrl >>>=20 >>> +# Add the drop hostile in and out logging options >>> +# into the optionsfw settings file and apply to firewall >>> +sed -i '$ a\LOGDROPHOSTILEIN=3Don' /var/ipfire/optionsfw/settings >>> +sed -i '$ a\LOGDROPHOSTILEOUT=3Don' /var/ipfire/optionsfw/settings >>> +/usr/local/bin/firewallctrl >>> + >>> # Start services >>> telinit u >>> /etc/init.d/vnstat start >>> --=20 >>> 2.44.0 >>>=20 >=20 > --=20 > Sent from my laptop --===============6314560484173948989==--