Hi Matthias,
On 27/12/2023 02:21, Matthias Fischer wrote:
Hi Adolf,
I tested and I'd suggest to place the if-loop a few lines higher - under the 'Firewall logging'-section.
I inserted your code at line ~289ff, right under DROPSPOOFEDMARTIAN.
And now it looks as in the screenshot.
I did that location in my first patch build. I changed it to the one I submitted as this log selection is tied to the only firewall command that can be turned on or off for the drop. So I thought it made more sense to be directly linked with the drop hostile selection command.
However I am happy in either case.
During the night I thought that maybe the log selection should be greyed out if the drop hostile was set to off as there is no point in trying to log or not log a command that is not doing any dropping.
Then this morning I thought maybe this drop hostile command has been around now for long enough that we don't need to have it turned off by default for updates. Maybe this command should, like for example DROP CTINVALID etc, occur by default. In that case the selection of DROP_HOSTILE would no longer occur and the LOG_DROP_HOSTILE could then go with the other logging decision options.
I will put this question into the next video conf call on 8th January.
Regards,
Adolf.
jm2c ;-)
Best, Matthias
On 26.12.2023 20:46, Adolf Belka wrote:
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
src/initscripts/system/firewall | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 50f2b3e02..352ae2496 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -177,7 +177,9 @@ iptables_init() { iptables -A OUTPUT -j HOSTILE
iptables -N HOSTILE_DROP
- iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
if [ "$LOGDROPHOSTILE" == "on" ]; then
iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "fi iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
# IP Address Blocklist chains