[PATCH v3 1/7] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

[PATCH v3 1/7] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 3131 bytes --]

- This v3 version has split the logging choice for drop hostile to separate the logging of
   incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
   However the logs were being swamped by the logging of drop hostile making analysis
   difficult. So incoming drop hostile was desired to not be logged. However logging of
   outgoing drop hostile was desired to identify if clients on the internal lan were
   infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
   logged or not.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index fbff67b2f..52ac1b01e 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) {
 if (!$settings{'DROPHOSTILE'}) {
 	$settings{'DROPHOSTILE'} = 'off';
 }
+if (!$settings{'LOGDROPHOSTILEIN'}) {
+	$settings{'LOGDROPHOSTILEIN'} = 'on';
+}
+if (!$settings{'LOGDROPHOSTILEOUT'}) {
+	$settings{'LOGDROPHOSTILEOUT'} = 'on';
+}
 if (!$settings{'LOGDROPCTINVALID'}) {
 	$settings{'LOGDROPCTINVALID'} = 'on';
 }
@@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
 $checked{'DROPHOSTILE'}{'off'} = '';
 $checked{'DROPHOSTILE'}{'on'} = '';
 $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEIN'}{'off'} = '';
+$checked{'LOGDROPHOSTILEIN'}{'on'} = '';
+$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEOUT'}{'off'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{'on'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'";
 $checked{'LOGDROPCTINVALID'}{'off'} = '';
 $checked{'LOGDROPCTINVALID'}{'on'} = '';
 $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
@@ -279,6 +291,20 @@ END
 			<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
 		</td>
 	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
 </table>
 <br/>
 
-- 
2.43.0

[PATCH v3 2/7] rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1815 bytes --]

- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
   HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
   independently.

Fixes: bug12981
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/firewall/rules.pl | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 7edb910e2..a47c260a1 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -726,8 +726,8 @@ sub drop_hostile_networks () {
 	&ipset_restore($HOSTILE_CCODE);
 
 	# Check traffic in incoming/outgoing direction and drop if it matches
-	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
-	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
+	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN");
+	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT");
 }
 
 sub ipblocklist () {
-- 
2.43.0

[PATCH v3 3/7] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 1567 bytes --]

- This v3 version now has two if loops allowing logging of incoming drop hostile or
   outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
   dropped hostile traffic.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 src/initscripts/system/firewall | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 50f2b3e02..840ae3150 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -176,9 +176,18 @@ iptables_init() {
 	iptables -A FORWARD -j HOSTILE
 	iptables -A OUTPUT -j HOSTILE
 
-	iptables -N HOSTILE_DROP
-	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
-	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+	iptables -N HOSTILE_DROP_IN
+	if [ "$LOGDROPHOSTILEIN" == "on" ]; then
+		iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	fi
+	iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE"
+
+	iptables -N HOSTILE_DROP_OUT
+	if [ "$LOGDROPHOSTILEOUT" == "on" ]; then
+		iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+	fi
+	iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE"
+
 
 	# IP Address Blocklist chains
 	iptables -N BLOCKLISTIN
-- 
2.43.0

[PATCH v3 4/7] en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 20976 bytes --]

- In this v3 version have added translations for hostile networks in and hostile
   networks out and log drop hostile in and log drop hostile out.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 doc/language_issues.de |  5 +++++
 doc/language_issues.en |  5 ++++-
 doc/language_issues.es |  5 +++++
 doc/language_issues.fr |  5 +++++
 doc/language_issues.it |  5 ++++-
 doc/language_issues.nl |  5 ++++-
 doc/language_issues.pl |  5 ++++-
 doc/language_issues.ru |  5 ++++-
 doc/language_issues.tr |  5 ++++-
 doc/language_missings  | 37 ++++++++++++++++++++++++++++++++-----
 langs/en/cgi-bin/en.pl |  5 ++++-
 11 files changed, 75 insertions(+), 12 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4fd5a0819..29bf5b8d7 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -375,6 +375,7 @@ WARNING: translation string unused: host
 WARNING: translation string unused: host allow
 WARNING: translation string unused: host configuration
 WARNING: translation string unused: host deny
+WARNING: translation string unused: hostile networks
 WARNING: translation string unused: hostname and domain already in use
 WARNING: translation string unused: hour-graph
 WARNING: translation string unused: hours2
@@ -923,12 +924,16 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code
 WARNING: untranslated string: invalid input for subscription code = Invalid input for subscription code
 WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon
 WARNING: untranslated string: no entries = No entries at the moment.
 WARNING: untranslated string: optional = Optional
diff --git a/doc/language_issues.en b/doc/language_issues.en
index b4327cb78..4f37e43f7 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1039,7 +1039,8 @@ WARNING: untranslated string: holdoff = Holdoff time (in seconds)
 WARNING: untranslated string: host certificate = Host Certificate
 WARNING: untranslated string: host ip = Host IP address
 WARNING: untranslated string: host to net vpn = Host-to-Net Virtual Private Network (RoadWarrior)
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: hostname = Hostname
 WARNING: untranslated string: hostname cant be empty = Hostname cannot be empty.
 WARNING: untranslated string: hostname not set = Hostname not set.
@@ -1247,6 +1248,8 @@ WARNING: untranslated string: locationblock country is allowed = Incoming traffi
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
 WARNING: untranslated string: log = Log
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log lines per page = Lines per page
 WARNING: untranslated string: log server address = Syslog server:
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 45ffdf5d7..22b6efbc3 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -415,6 +415,7 @@ WARNING: translation string unused: host
 WARNING: translation string unused: host allow
 WARNING: translation string unused: host configuration
 WARNING: translation string unused: host deny
+WARNING: translation string unused: hostile networks
 WARNING: translation string unused: hostname and domain already in use
 WARNING: translation string unused: hour-graph
 WARNING: translation string unused: hours2
@@ -989,8 +990,12 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: info messages = unknown string
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: no data = unknown string
 WARNING: untranslated string: openvpn cert expires soon = Expires Soon
 WARNING: untranslated string: openvpn cert has expired = Expired
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index cacfb1ec6..68514699d 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -402,6 +402,7 @@ WARNING: translation string unused: host
 WARNING: translation string unused: host allow
 WARNING: translation string unused: host configuration
 WARNING: translation string unused: host deny
+WARNING: translation string unused: hostile networks
 WARNING: translation string unused: hostname and domain already in use
 WARNING: translation string unused: hour-graph
 WARNING: translation string unused: hours2
@@ -947,6 +948,10 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: pakfire ago = ago.
 WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.
 WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 68ff12c86..fed7f4195 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1068,7 +1068,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: ids add provider = Add provider
 WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
 WARNING: untranslated string: ids apply = Apply
@@ -1159,6 +1160,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index d1a637215..9f9fce689 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1073,7 +1073,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: ids add provider = Add provider
 WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
 WARNING: untranslated string: ids apply = Apply
@@ -1166,6 +1167,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: masquerade blue = Masquerade BLUE
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 893f73211..48c0974e8 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1213,7 +1213,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: ids add provider = Add provider
 WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
 WARNING: untranslated string: ids apply = Apply
@@ -1315,6 +1316,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: mac filter = MAC filter
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 64c9b5095..a1112396c 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1210,7 +1210,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: ids add provider = Add provider
 WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
 WARNING: untranslated string: ids apply = Apply
@@ -1313,6 +1314,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati
 WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed
 WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked
 WARNING: untranslated string: locationblock enable feature = Enable Location based blocking:
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: log server protocol = protocol:
 WARNING: untranslated string: mac filter = MAC filter
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index eadbd33c7..649ebf6b4 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1010,7 +1010,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
 WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities
-WARNING: untranslated string: hostile networks = Hostile networks
+WARNING: untranslated string: hostile networks in = Hostile networks in
+WARNING: untranslated string: hostile networks out = Hostile networks out
 WARNING: untranslated string: ids add provider = Add provider
 WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations...
 WARNING: untranslated string: ids apply = Apply
@@ -1089,6 +1090,8 @@ WARNING: untranslated string: ipsec settings = IPsec Settings
 WARNING: untranslated string: itlb multihit = iTLB MultiHit
 WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation
 WARNING: untranslated string: local ip address = Local IP Address
+WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks
+WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks
 WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking
 WARNING: untranslated string: meltdown = Meltdown
 WARNING: untranslated string: mitigated = Mitigated
diff --git a/doc/language_missings b/doc/language_missings
index 28ae29c2b..8a92fde97 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -58,6 +58,8 @@
 < extrahd because it it outside the allowed mount path
 < g.dtm
 < g.lite
+< hostile networks in
+< hostile networks out
 < ids automatic rules update
 < ids subscription code required
 < insert removable device
@@ -66,6 +68,8 @@
 < ipsec invalid ip address or fqdn for rw endpoint
 < ipsec roadwarrior endpoint
 < link-layer encapsulation
+< log drop hostile in
+< log drop hostile out
 < netbios nameserver daemon
 < no entries
 < notes
@@ -114,7 +118,11 @@
 < extrahd not configured
 < extrahd not mounted
 < hardware vulnerabilities
+< hostile networks in
+< hostile networks out
 < invalid ip or hostname
+< log drop hostile in
+< log drop hostile out
 < openvpn cert expires soon
 < openvpn cert has expired
 < reiserfs warning1
@@ -138,6 +146,10 @@
 < extrahd not mounted
 < g.dtm
 < g.lite
+< hostile networks in
+< hostile networks out
+< log drop hostile in
+< log drop hostile out
 < reiserfs warning1
 < reiserfs warning2
 < spec rstack overflow
@@ -361,7 +373,8 @@
 < guaranteed bandwidth
 < guardian
 < hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
 < ids add provider
 < ids adjust ruleset
 < ids apply
@@ -464,6 +477,8 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile in
+< log drop hostile out
 < log dropped conntrack invalids
 < log server protocol
 < masquerade blue
@@ -880,7 +895,8 @@
 < generate ptr
 < guardian
 < hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
 < ids add provider
 < ids adjust ruleset
 < ids apply
@@ -985,6 +1001,8 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile in
+< log drop hostile out
 < log dropped conntrack invalids
 < log server protocol
 < masquerade blue
@@ -1704,7 +1722,8 @@
 < grouptype
 < guardian
 < hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
 < ids add provider
 < ids adjust ruleset
 < ids apply
@@ -1819,6 +1838,8 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile in
+< log drop hostile out
 < log dropped conntrack invalids
 < log server protocol
 < mac filter
@@ -2695,7 +2716,8 @@
 < grouptype
 < guardian
 < hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
 < hour-graph
 < ids add provider
 < ids adjust ruleset
@@ -2812,6 +2834,8 @@
 < locationblock country name
 < locationblock enable feature
 < locationblock flag
+< log drop hostile in
+< log drop hostile out
 < log dropped conntrack invalids
 < log server protocol
 < mac filter
@@ -3280,7 +3304,8 @@
 < fw red
 < generate ptr
 < hardware vulnerabilities
-< hostile networks
+< hostile networks in
+< hostile networks out
 < ids add provider
 < ids adjust ruleset
 < ids apply
@@ -3368,6 +3393,8 @@
 < legacy architecture warning
 < link-layer encapsulation
 < local ip address
+< log drop hostile in
+< log drop hostile out
 < log dropped conntrack invalids
 < meltdown
 < mitigated
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 16a3061b4..935217f0b 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1409,7 +1409,8 @@
 'host deny' => 'list with denied hosts',
 'host ip' => 'Host IP address',
 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)',
-'hostile networks' => 'Hostile networks',
+'hostile networks in' => 'Hostile networks in',
+'hostile networks out' => 'Hostile networks out',
 'hostname' => 'Hostname',
 'hostname and domain already in use' => 'Hostname and domain already in use.',
 'hostname cant be empty' => 'Hostname cannot be empty.',
@@ -1686,6 +1687,8 @@
 'locationblock enable feature' => 'Enable Location based blocking:',
 'locationblock flag' => 'Flag',
 'log' => 'Log',
+'log drop hostile in' => 'Log dropped packets FROM hostile networks',
+'log drop hostile out' => 'Log dropped packets TO hostile networks',
 'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking',
 'log enabled' => 'Log Enabled',
 'log level' => 'Log Level',
-- 
2.43.0

[PATCH v3 5/7] collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 995 bytes --]

- In this v3 version of the patch set the splitting of drop hostile logging into incoming
   and outgoing logging means that the data collection and graphs need to have drop hostile
   also split into incoming and outgoing.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/collectd/collectd.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
index 4ef34ea07..cc49f0ba7 100644
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -51,7 +51,8 @@ include "/etc/collectd.precache"
 	Chain filter POLICYOUT DROP_OUTPUT
 	Chain filter POLICYIN DROP_INPUT
 	Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN
-	Chain filter HOSTILE_DROP DROP_HOSTILE
+	Chain filter HOSTILE_DROP_IN DROP_HOSTILE
+	Chain filter HOSTILE_DROP_OUT DROP_HOSTILE
 </Plugin>
 
 #<Plugin logfile>
-- 
2.43.0

[PATCH v3 6/7] graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 2716 bytes --]

- This v3 version of the patch set splits the single hostile networks graph entry into
   incoming hostile networks and outgoing hostile networks entries.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/cfgroot/graphs.pl | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl
index 9803dd124..f527447b5 100644
--- a/config/cfgroot/graphs.pl
+++ b/config/cfgroot/graphs.pl
@@ -693,7 +693,8 @@ sub updatefwhitsgraph {
 		"DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE",
 		"DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE",
 		"DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE",
-		"DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
+		"DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
+		"DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE",
 		"COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}),
 		"COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}),
 		"COMMENT:".sprintf("%15s",$Lang::tr{'average'}),
@@ -729,11 +730,16 @@ sub updatefwhitsgraph {
 		"GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps",
 		"GPRINT:spoofedmartian:MIN:%8.1lf %sBps",
 		"GPRINT:spoofedmartian:LAST:%8.1lf %sBps\\j",
-		"STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}),
-		"GPRINT:hostile:MAX:%8.1lf %sBps",
-		"GPRINT:hostile:AVERAGE:%8.1lf %sBps",
-		"GPRINT:hostile:MIN:%8.1lf %sBps",
-		"GPRINT:hostile:LAST:%8.1lf %sBps\\j",
+		"STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}),
+		"GPRINT:hostilein:MAX:%8.1lf %sBps",
+		"GPRINT:hostilein:AVERAGE:%8.1lf %sBps",
+		"GPRINT:hostilein:MIN:%8.1lf %sBps",
+		"GPRINT:hostilein:LAST:%8.1lf %sBps\\j",
+		"STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}),
+		"GPRINT:hostileout:MAX:%8.1lf %sBps",
+		"GPRINT:hostileout:AVERAGE:%8.1lf %sBps",
+		"GPRINT:hostileout:MIN:%8.1lf %sBps",
+		"GPRINT:hostileout:LAST:%8.1lf %sBps\\j",
 		);
 		$ERROR = RRDs::error;
 		return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
-- 
2.43.0

[PATCH v3 7/7] optionsfw.cgi: Move Firewall Options Drop commands to before the logging section

[Adolf Belka]

[-- Attachment #1: Type: text/plain, Size: 4321 bytes --]

- Moved the Firewall Options Drop commands to before the logging section, as discussed
   at January 2024 Video Call.

Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 47 +++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 23 deletions(-)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 52ac1b01e..60b1bdd91 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2022  IPFire Team  <info(a)ipfire.org>                     #
+# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -224,6 +224,29 @@ END
 
 	<br>
 
+<table width='95%' cellspacing='0'>
+	<tr bgcolor='$color{'color20'}'>
+		<td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'drop hostile'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/
+			<input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+</table>
+<br>
+
+<table width='95%' cellspacing='0'>
+<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
+																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
+<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
+																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
+</table>
+<br>
+
 <table width='95%' cellspacing='0'>
 	<tr bgcolor='$color{'color20'}'>
 		<td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td>
@@ -308,28 +331,6 @@ END
 </table>
 <br/>
 
-<table width='95%' cellspacing='0'>
-	<tr bgcolor='$color{'color20'}'>
-		<td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td>
-	</tr>
-	<tr>
-		<td align='left' width='60%'>$Lang::tr{'drop hostile'}</td>
-		<td align='left'>
-			$Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/
-			<input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'}
-		</td>
-	</tr>
-</table>
-<br>
-
-<table width='95%' cellspacing='0'>
-<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/
-																						<input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr>
-<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/
-																						<input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr>
-</table>
-<br>
 <table width='95%' cellspacing='0'>
 <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr>
 <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
-- 
2.43.0

Re: [PATCH v3 2/7] rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile

[Bernhard Bitsch]

[-- Attachment #1: Type: text/plain, Size: 2034 bytes --]

Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Acked-by: Bernhard Bitsch <bbitsch(a)ipfire.org>

Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
>     HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
>     independently.
> 
> Fixes: bug12981
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   config/firewall/rules.pl | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 7edb910e2..a47c260a1 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                     #
> +# Copyright (C) 2007-2024  IPFire Team  <info(a)ipfire.org>                     #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -726,8 +726,8 @@ sub drop_hostile_networks () {
>   	&ipset_restore($HOSTILE_CCODE);
>   
>   	# Check traffic in incoming/outgoing direction and drop if it matches
> -	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
> -	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
> +	run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN");
> +	run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT");
>   }
>   
>   sub ipblocklist () {

Re: [PATCH v3 3/7] firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic

[Bernhard Bitsch]

[-- Attachment #1: Type: text/plain, Size: 1738 bytes --]

Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>

Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This v3 version now has two if loops allowing logging of incoming drop hostile or
>     outgoing drop hostile or both or neither.
> - Dependent on the choice in optionsfw.cgi this loop will either log or not log the
>     dropped hostile traffic.
> 
> Fixes: bug12981
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   src/initscripts/system/firewall | 15 ++++++++++++---
>   1 file changed, 12 insertions(+), 3 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index 50f2b3e02..840ae3150 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -176,9 +176,18 @@ iptables_init() {
>   	iptables -A FORWARD -j HOSTILE
>   	iptables -A OUTPUT -j HOSTILE
>   
> -	iptables -N HOSTILE_DROP
> -	iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> -	iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
> +	iptables -N HOSTILE_DROP_IN
> +	if [ "$LOGDROPHOSTILEIN" == "on" ]; then
> +		iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> +	fi
> +	iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE"
> +
> +	iptables -N HOSTILE_DROP_OUT
> +	if [ "$LOGDROPHOSTILEOUT" == "on" ]; then
> +		iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
> +	fi
> +	iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE"
> +
>   
>   	# IP Address Blocklist chains
>   	iptables -N BLOCKLISTIN

Re: [PATCH v3 1/7] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic

[Bernhard Bitsch]

[-- Attachment #1: Type: text/plain, Size: 3431 bytes --]

Reviewed-by: Bernhard Bitsch <bbitsch(a)ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch(a)ipfire.org>


Am 21.01.2024 um 12:45 schrieb Adolf Belka:
> - This v3 version has split the logging choice for drop hostile to separate the logging of
>     incoming drop hostile and outgoing drop hostile.
> - The bug originator had no port forwards so all hostile would be dropped normally anyway.
>     However the logs were being swamped by the logging of drop hostile making analysis
>     difficult. So incoming drop hostile was desired to not be logged. However logging of
>     outgoing drop hostile was desired to identify if clients on the internal lan were
>     infected with malware trying to reach home.
> - Added option with drop hostile section to decide if the dropped traffic should be
>     logged or not.
> 
> Fixes: bug12981
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++
>   1 file changed, 26 insertions(+)
> 
> diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
> index fbff67b2f..52ac1b01e 100644
> --- a/html/cgi-bin/optionsfw.cgi
> +++ b/html/cgi-bin/optionsfw.cgi
> @@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) {
>   if (!$settings{'DROPHOSTILE'}) {
>   	$settings{'DROPHOSTILE'} = 'off';
>   }
> +if (!$settings{'LOGDROPHOSTILEIN'}) {
> +	$settings{'LOGDROPHOSTILEIN'} = 'on';
> +}
> +if (!$settings{'LOGDROPHOSTILEOUT'}) {
> +	$settings{'LOGDROPHOSTILEOUT'} = 'on';
> +}
>   if (!$settings{'LOGDROPCTINVALID'}) {
>   	$settings{'LOGDROPCTINVALID'} = 'on';
>   }
> @@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
>   $checked{'DROPHOSTILE'}{'off'} = '';
>   $checked{'DROPHOSTILE'}{'on'} = '';
>   $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
> +$checked{'LOGDROPHOSTILEIN'}{'off'} = '';
> +$checked{'LOGDROPHOSTILEIN'}{'on'} = '';
> +$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'";
> +$checked{'LOGDROPHOSTILEOUT'}{'off'} = '';
> +$checked{'LOGDROPHOSTILEOUT'}{'on'} = '';
> +$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'";
>   $checked{'LOGDROPCTINVALID'}{'off'} = '';
>   $checked{'LOGDROPCTINVALID'}{'on'} = '';
>   $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
> @@ -279,6 +291,20 @@ END
>   			<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
>   		</td>
>   	</tr>
> +	<tr>
> +		<td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td>
> +		<td align='left'>
> +			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/
> +			<input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'}
> +		</td>
> +	</tr>
> +	<tr>
> +		<td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td>
> +		<td align='left'>
> +			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/
> +			<input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'}
> +		</td>
> +	</tr>
>   </table>
>   <br/>
>