I would rather like to solve this programmatically in the updater for c185.
Can we not add the value if we don’t find it in the configuration file?
-Michael
On 18 Mar 2024, at 11:10, Adolf Belka adolf.belka@ipfire.org wrote:
Hi Michael,
On 18/03/2024 11:15, Michael Tremer wrote:
Hallo Adolf, Okay. I have merged this and as soon as the build is done I will push the new update out. What are we doing with the people who have already installed the update?
The positive thing is that if they had drop hostile enabled in the previous version then that will stay in place.
However, the logging will not occur. On the WUI page it will show as enabled to log but as the values were not saved into the settings file they are treated as disabled.
The way to solve this for people affected is to press the Save button on the WUI page and do a reboot.
The only way to deal with this that I can see is to maybe do a blog post on it. That fix has been noted in the forum on the post from Roberto who noted that drop hostile traffic was being blocked but there were no log entries. Of course I will keep an eye out on all forum posts to see if any other people notice that there is no logging and let them know the solution.
Are there any other approaches that you can think of?
Regards,
Adolf.
-Michael
On 16 Mar 2024, at 09:32, Adolf Belka adolf.belka@ipfire.org wrote:
- My drop hostile patch set updated the WUI entries to include in and out logging options but the values need to be added to the optionsfw entries for existing systems being upgraded.
- After the existing CU184 update the LOGDROPHOSTILEIN and LOGDROPHO)STILEOUT entries are not in the settings file which trewats them as being set to off, even though they are enabled in the WUI update.
- This patch adds the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries into the settings file and then runs the firewallctrl command to apply to the firewall.
- Ran a CU184 update on a CU183 vm system and then ran the comands added into the update.sh script and then did a reboot. Entries include and DROP_HOSTILE entries start to be logged again.
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/rootfiles/core/184/update.sh | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/config/rootfiles/core/184/update.sh b/config/rootfiles/core/184/update.sh index aa593047d..1a0e67c66 100644 --- a/config/rootfiles/core/184/update.sh +++ b/config/rootfiles/core/184/update.sh @@ -80,6 +80,12 @@ xz --check=crc32 --lzma2=dict=512KiB /lib/modules/6.6.15-ipfire/extra/wlan/8812a # Apply local configuration to sshd_config /usr/local/bin/sshctrl
+# Add the drop hostile in and out logging options +# into the optionsfw settings file and apply to firewall +sed -i '$ a\LOGDROPHOSTILEIN=on' /var/ipfire/optionsfw/settings +sed -i '$ a\LOGDROPHOSTILEOUT=on' /var/ipfire/optionsfw/settings +/usr/local/bin/firewallctrl
# Start services telinit u /etc/init.d/vnstat start -- 2.44.0
-- Sent from my laptop