Hi
After adding a few country codes with the GeoIP Configuration page, Geo blocked IPs no longer appear in the Firewall Logs.
This might be the intended operation but for me I would like to log these blocked IPs and have added a logging rule to /usr/lib/firewall/rules.pl
This is my patch for rules.pl which I have tested on my live IPFire and is working OK.
diff -u build/usr/lib/firewall/rules.pl.orig build/usr/lib/firewall/rules.pl --- build/usr/lib/firewall/rules.pl.orig 2019-02-04 20:59:34.677143496 +0000 +++ build/usr/lib/firewall/rules.pl 2019-02-04 21:01:59.445137411 +0000 @@ -609,6 +609,8 @@ # is enabled. foreach my $location (@locations) { if(exists $geoipsettings{$location} && $geoipsettings{$location} eq "on") { + # add logging for geoip rwb 4/2/19 + run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j LOG --log-prefix 'GEOIPBLOCK-$location '"); run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP"); } }
Regards
Rob
Hello Rob,
Thank you for submitting this patch.
There are several issues with this patch:
* It has been line-wrapped and therefore does not apply
* It is actually intended behaviour of the GeoIP filter to not log those. Many systems are flooded with log messages and this filter is supposed to skim some things out entirely.
However, I do not think that this is a bad idea, but it should be configurable on the firewall options page.
-Michael
On 4 Feb 2019, at 21:08, Rob Brewer ipfire-devel@grantura.co.uk wrote:
Hi
After adding a few country codes with the GeoIP Configuration page, Geo blocked IPs no longer appear in the Firewall Logs.
This might be the intended operation but for me I would like to log these blocked IPs and have added a logging rule to /usr/lib/firewall/rules.pl
This is my patch for rules.pl which I have tested on my live IPFire and is working OK.
diff -u build/usr/lib/firewall/rules.pl.orig build/usr/lib/firewall/rules.pl --- build/usr/lib/firewall/rules.pl.orig 2019-02-04 20:59:34.677143496 +0000 +++ build/usr/lib/firewall/rules.pl 2019-02-04 21:01:59.445137411 +0000 @@ -609,6 +609,8 @@ # is enabled. foreach my $location (@locations) { if(exists $geoipsettings{$location} && $geoipsettings{$location} eq "on") {
# add logging for geoip rwb 4/2/19run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc$location -j LOG --log-prefix 'GEOIPBLOCK-$location '"); run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP"); } }
Regards
Rob
Hi Michael
Michael Tremer wrote:
Hello Rob,
Thank you for submitting this patch.
There are several issues with this patch:
- It has been line-wrapped and therefore does not apply
Apologies I'll try again without wrapping:
--- build/usr/lib/firewall/rules.pl.orig 2019-02-04 20:59:34.677143496 +0000 +++ build/usr/lib/firewall/rules.pl 2019-02-04 21:01:59.445137411 +0000 @@ -609,6 +609,8 @@ # is enabled. foreach my $location (@locations) { if(exists $geoipsettings{$location} && $geoipsettings{$location} eq "on") { + # add logging for geoip rwb 4/2/19 + run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j LOG --log-prefix 'GEOIPBLOCK-$location '"); run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP"); } }
- It is actually intended behaviour of the GeoIP filter to not log those.
Many systems are flooded with log messages and this filter is supposed to skim some things out entirely.
I understand your thinking but it does mess up reporting the logs as I do to Dshield.
However, I do not think that this is a bad idea, but it should be configurable on the firewall options page.
Yes I was thinking that this could be easily select-able with an if statement around the LOG line if required.
Rob
Hi Michael
Rob Brewer wrote:
However, I do not think that this is a bad idea, but it should be configurable on the firewall options page.
Yes I was thinking that this could be easily select-able with an if statement around the LOG line if required.
OK I've been working on your suggestion and have added an additional checkbox to the GeoIP Block of geoip-block.cgi to enable/disable logging.
(patch: geoip-block.cgi)
I have also reworked rules.pl to enable geoip-block logging from geo- block.cgi.
(patch: rules2.pl)
Rob
Hey Rob,
Please only attach patches inline. That way, people can comment on them directly.
If I now write things like:
In the first file, line 12, something is not right there…
then nobody knows what I am referring to.
Best, -Michael
On 10 Feb 2019, at 16:07, Rob Brewer ipfire-devel@grantura.co.uk wrote:
Hi Michael
Rob Brewer wrote:
However, I do not think that this is a bad idea, but it should be configurable on the firewall options page.
Yes I was thinking that this could be easily select-able with an if statement around the LOG line if required.
OK I've been working on your suggestion and have added an additional checkbox to the GeoIP Block of geoip-block.cgi to enable/disable logging.
(patch: geoip-block.cgi)
I have also reworked rules.pl to enable geoip-block logging from geo- block.cgi.
(patch: rules2.pl)
Rob <geoip-block.cgi><rules2.pl>
-
Michael Tremer -
Rob Brewer