From mboxrd@z Thu Jan  1 00:00:00 1970
From: Rob Brewer <ipfire-devel@grantura.co.uk>
To: development@lists.ipfire.org
Subject: Re: Logging Locationblock packets [PATCH]
Date: Fri, 22 Nov 2024 16:04:51 +0000
Message-ID: <vhqa33$59jr$3@tuscan4.grantura.co.uk>
In-Reply-To: <vhlq5n$3ugod$3@tuscan4.grantura.co.uk>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0501402794639605249=="
List-Id: <development.lists.ipfire.org>

--===============0501402794639605249==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wed, 20 Nov 2024 23:08:39 -0000 (UTC), Rob Brewer wrote:

Sorry I got caught out by my editor's word wrap. I've now turned it off
so hopefully this will be OK.

Rob=20

> OK - I have modified location-block.cgi to add an additional checkbox at
> the top of the page titled "Log dropped packets", very similar to
> ipblocklist.cgi. This adds a entry to the /var/ipfire/firewall/
> locationblock settings file ON or OFF.
>

/srv/web/ipfire/cgi-bin/location-block.cgi
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
62a63,69
> # Check if we want to disable logging.
> if (exists $cgiparams{'LOGGING_ENABLED'}) {
> $settings{'LOGGING_ENABLED'} =3D "on";
> } else {
> $settings{'LOGGING_ENABLED'} =3D "off";
> }
>
93a101
> my $logging;
97a106,111
> if ($settings{'LOGGING_ENABLED'} eq "on") {
> $logging =3D "checked=3D'checked'";
> }
>
>
>
108a123,125
> <td width=3D'50%' class=3D'base'>$Lang::tr{'ipblocklist log'}
> <td><input type=3D'checkbox' name=3D'LOGGING_ENABLED' $logging></td>
> </tr>
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D


> In /usr/lib/firewall/rules.pl I add an additional Iptables LOCATIONBLOCK
> log rule with the prefix 'LOCBLOCK-$location '. This is selectable from
> the Log dropped packets entry in the locationblock settings file.
>


/usr/lib/firewall/rules.pl
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
76c76,77
<       "LOCATIONBLOCK_ENABLED" =3D> "off"
---
> "LOCATIONBLOCK_ENABLED" =3D> "off",
> "LOGGING_ENABLED" =3D> "off",
719a721,725
>
> # add loggging if enabled from location-block.cgi
> if ($locationsettings{'LOGGING_ENABLED'} eq "on") {    =20
> run("$IPTABLES -A LOCATIONBLOCK -m set --match-set $location src -j LOG --l=
og-prefix 'LOCBLOCK-$location '");
> }
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
End of encapsulated message

--===============0501402794639605249==--