[PATCH v3 1/7] optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic
- This v3 version has split the logging choice for drop hostile to separate the logging of incoming drop hostile and outgoing drop hostile. - The bug originator had no port forwards so all hostile would be dropped normally anyway. However the logs were being swamped by the logging of drop hostile making analysis difficult. So incoming drop hostile was desired to not be logged. However logging of outgoing drop hostile was desired to identify if clients on the internal lan were infected with malware trying to reach home. - Added option with drop hostile section to decide if the dropped traffic should be logged or not.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fbff67b2f..52ac1b01e 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) { if (!$settings{'DROPHOSTILE'}) { $settings{'DROPHOSTILE'} = 'off'; } +if (!$settings{'LOGDROPHOSTILEIN'}) { + $settings{'LOGDROPHOSTILEIN'} = 'on'; +} +if (!$settings{'LOGDROPHOSTILEOUT'}) { + $settings{'LOGDROPHOSTILEOUT'} = 'on'; +} if (!$settings{'LOGDROPCTINVALID'}) { $settings{'LOGDROPCTINVALID'} = 'on'; } @@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec $checked{'DROPHOSTILE'}{'off'} = ''; $checked{'DROPHOSTILE'}{'on'} = ''; $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEIN'}{'off'} = ''; +$checked{'LOGDROPHOSTILEIN'}{'on'} = ''; +$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEOUT'}{'off'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{'on'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'"; $checked{'LOGDROPCTINVALID'}{'off'} = ''; $checked{'LOGDROPCTINVALID'}{'on'} = ''; $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'"; @@ -279,6 +291,20 @@ END <input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'} </td> </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/ + <input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/ + <input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> </table> <br/>
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each independently.
Fixes: bug12981 Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/firewall/rules.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2..a47c260a1 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -726,8 +726,8 @@ sub drop_hostile_networks () { &ipset_restore($HOSTILE_CCODE);
# Check traffic in incoming/outgoing direction and drop if it matches - run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP"); - run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP"); + run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN"); + run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT"); }
sub ipblocklist () {
Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org Acked-by: Bernhard Bitsch bbitsch@ipfire.org
Am 21.01.2024 um 12:45 schrieb Adolf Belka:
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each independently.
Fixes: bug12981 Signed-off-by: Adolf Belka adolf.belka@ipfire.org
config/firewall/rules.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2..a47c260a1 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -726,8 +726,8 @@ sub drop_hostile_networks () { &ipset_restore($HOSTILE_CCODE);
# Check traffic in incoming/outgoing direction and drop if it matches
- run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP");
- run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP");
run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN");
run("$IPTABLES -A HOSTILE -o $RED_DEV -m set --match-set $HOSTILE_CCODE dst -j HOSTILE_DROP_OUT"); }
sub ipblocklist () {
- This v3 version now has two if loops allowing logging of incoming drop hostile or outgoing drop hostile or both or neither. - Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- src/initscripts/system/firewall | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 50f2b3e02..840ae3150 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -176,9 +176,18 @@ iptables_init() { iptables -A FORWARD -j HOSTILE iptables -A OUTPUT -j HOSTILE
- iptables -N HOSTILE_DROP - iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " - iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE" + iptables -N HOSTILE_DROP_IN + if [ "$LOGDROPHOSTILEIN" == "on" ]; then + iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE" + + iptables -N HOSTILE_DROP_OUT + if [ "$LOGDROPHOSTILEOUT" == "on" ]; then + iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " + fi + iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE" +
# IP Address Blocklist chains iptables -N BLOCKLISTIN
Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org
Am 21.01.2024 um 12:45 schrieb Adolf Belka:
- This v3 version now has two if loops allowing logging of incoming drop hostile or outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
src/initscripts/system/firewall | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 50f2b3e02..840ae3150 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -176,9 +176,18 @@ iptables_init() { iptables -A FORWARD -j HOSTILE iptables -A OUTPUT -j HOSTILE
- iptables -N HOSTILE_DROP
- iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
- iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
iptables -N HOSTILE_DROP_IN
if [ "$LOGDROPHOSTILEIN" == "on" ]; then
iptables -A HOSTILE_DROP_IN -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "fi
iptables -A HOSTILE_DROP_IN -j DROP -m comment --comment "DROP_HOSTILE"
iptables -N HOSTILE_DROP_OUT
if [ "$LOGDROPHOSTILEOUT" == "on" ]; then
iptables -A HOSTILE_DROP_OUT -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "fi
iptables -A HOSTILE_DROP_OUT -j DROP -m comment --comment "DROP_HOSTILE"
# IP Address Blocklist chains iptables -N BLOCKLISTIN
- In this v3 version have added translations for hostile networks in and hostile networks out and log drop hostile in and log drop hostile out.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- doc/language_issues.de | 5 +++++ doc/language_issues.en | 5 ++++- doc/language_issues.es | 5 +++++ doc/language_issues.fr | 5 +++++ doc/language_issues.it | 5 ++++- doc/language_issues.nl | 5 ++++- doc/language_issues.pl | 5 ++++- doc/language_issues.ru | 5 ++++- doc/language_issues.tr | 5 ++++- doc/language_missings | 37 ++++++++++++++++++++++++++++++++----- langs/en/cgi-bin/en.pl | 5 ++++- 11 files changed, 75 insertions(+), 12 deletions(-)
diff --git a/doc/language_issues.de b/doc/language_issues.de index 4fd5a0819..29bf5b8d7 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -375,6 +375,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -923,12 +924,16 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids subscription code required = The selected ruleset requires a subscription code WARNING: untranslated string: invalid input for subscription code = Invalid input for subscription code WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es) WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional diff --git a/doc/language_issues.en b/doc/language_issues.en index b4327cb78..4f37e43f7 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1039,7 +1039,8 @@ WARNING: untranslated string: holdoff = Holdoff time (in seconds) WARNING: untranslated string: host certificate = Host Certificate WARNING: untranslated string: host ip = Host IP address WARNING: untranslated string: host to net vpn = Host-to-Net Virtual Private Network (RoadWarrior) -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: hostname = Hostname WARNING: untranslated string: hostname cant be empty = Hostname cannot be empty. WARNING: untranslated string: hostname not set = Hostname not set. @@ -1247,6 +1248,8 @@ WARNING: untranslated string: locationblock country is allowed = Incoming traffi WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: WARNING: untranslated string: log = Log +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log lines per page = Lines per page WARNING: untranslated string: log server address = Syslog server: diff --git a/doc/language_issues.es b/doc/language_issues.es index 45ffdf5d7..22b6efbc3 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -415,6 +415,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -989,8 +990,12 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired diff --git a/doc/language_issues.fr b/doc/language_issues.fr index cacfb1ec6..68514699d 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -402,6 +402,7 @@ WARNING: translation string unused: host WARNING: translation string unused: host allow WARNING: translation string unused: host configuration WARNING: translation string unused: host deny +WARNING: translation string unused: hostile networks WARNING: translation string unused: hostname and domain already in use WARNING: translation string unused: hour-graph WARNING: translation string unused: hours2 @@ -947,6 +948,10 @@ WARNING: untranslated string: guardian logtarget_file = unknown string WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. WARNING: untranslated string: reiserfs warning2 = Ensure a fresh installation is made using either ext4 or xfs filesystems before that date. diff --git a/doc/language_issues.it b/doc/language_issues.it index 68ff12c86..fed7f4195 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1068,7 +1068,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1159,6 +1160,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d1a637215..9f9fce689 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1073,7 +1073,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1166,6 +1167,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: masquerade blue = Masquerade BLUE diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 893f73211..48c0974e8 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1213,7 +1213,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1315,6 +1316,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 64c9b5095..a1112396c 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1210,7 +1210,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1313,6 +1314,8 @@ WARNING: untranslated string: locationblock configuration = Location Configurati WARNING: untranslated string: locationblock country is allowed = Incoming traffic from this country is allowed WARNING: untranslated string: locationblock country is blocked = Incoming traffic from this country will be blocked WARNING: untranslated string: locationblock enable feature = Enable Location based blocking: +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: log server protocol = protocol: WARNING: untranslated string: mac filter = MAC filter diff --git a/doc/language_issues.tr b/doc/language_issues.tr index eadbd33c7..649ebf6b4 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1010,7 +1010,8 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hardware vulnerabilities = Hardware Vulnerabilities -WARNING: untranslated string: hostile networks = Hostile networks +WARNING: untranslated string: hostile networks in = Hostile networks in +WARNING: untranslated string: hostile networks out = Hostile networks out WARNING: untranslated string: ids add provider = Add provider WARNING: untranslated string: ids adjust ruleset = Adjust rules and add user defined customizations... WARNING: untranslated string: ids apply = Apply @@ -1089,6 +1090,8 @@ WARNING: untranslated string: ipsec settings = IPsec Settings WARNING: untranslated string: itlb multihit = iTLB MultiHit WARNING: untranslated string: link-layer encapsulation = Link-Layer Encapsulation WARNING: untranslated string: local ip address = Local IP Address +WARNING: untranslated string: log drop hostile in = Log dropped packets FROM hostile networks +WARNING: untranslated string: log drop hostile out = Log dropped packets TO hostile networks WARNING: untranslated string: log dropped conntrack invalids = Log dropped packets classified as INVALID by connection tracking WARNING: untranslated string: meltdown = Meltdown WARNING: untranslated string: mitigated = Mitigated diff --git a/doc/language_missings b/doc/language_missings index 28ae29c2b..8a92fde97 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -58,6 +58,8 @@ < extrahd because it it outside the allowed mount path < g.dtm < g.lite +< hostile networks in +< hostile networks out < ids automatic rules update < ids subscription code required < insert removable device @@ -66,6 +68,8 @@ < ipsec invalid ip address or fqdn for rw endpoint < ipsec roadwarrior endpoint < link-layer encapsulation +< log drop hostile in +< log drop hostile out < netbios nameserver daemon < no entries < notes @@ -114,7 +118,11 @@ < extrahd not configured < extrahd not mounted < hardware vulnerabilities +< hostile networks in +< hostile networks out < invalid ip or hostname +< log drop hostile in +< log drop hostile out < openvpn cert expires soon < openvpn cert has expired < reiserfs warning1 @@ -138,6 +146,10 @@ < extrahd not mounted < g.dtm < g.lite +< hostile networks in +< hostile networks out +< log drop hostile in +< log drop hostile out < reiserfs warning1 < reiserfs warning2 < spec rstack overflow @@ -361,7 +373,8 @@ < guaranteed bandwidth < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -464,6 +477,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -880,7 +895,8 @@ < generate ptr < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -985,6 +1001,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < masquerade blue @@ -1704,7 +1722,8 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -1819,6 +1838,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -2695,7 +2716,8 @@ < grouptype < guardian < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < hour-graph < ids add provider < ids adjust ruleset @@ -2812,6 +2834,8 @@ < locationblock country name < locationblock enable feature < locationblock flag +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < log server protocol < mac filter @@ -3280,7 +3304,8 @@ < fw red < generate ptr < hardware vulnerabilities -< hostile networks +< hostile networks in +< hostile networks out < ids add provider < ids adjust ruleset < ids apply @@ -3368,6 +3393,8 @@ < legacy architecture warning < link-layer encapsulation < local ip address +< log drop hostile in +< log drop hostile out < log dropped conntrack invalids < meltdown < mitigated diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 16a3061b4..935217f0b 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1409,7 +1409,8 @@ 'host deny' => 'list with denied hosts', 'host ip' => 'Host IP address', 'host to net vpn' => 'Host-to-Net Virtual Private Network (RoadWarrior)', -'hostile networks' => 'Hostile networks', +'hostile networks in' => 'Hostile networks in', +'hostile networks out' => 'Hostile networks out', 'hostname' => 'Hostname', 'hostname and domain already in use' => 'Hostname and domain already in use.', 'hostname cant be empty' => 'Hostname cannot be empty.', @@ -1686,6 +1687,8 @@ 'locationblock enable feature' => 'Enable Location based blocking:', 'locationblock flag' => 'Flag', 'log' => 'Log', +'log drop hostile in' => 'Log dropped packets FROM hostile networks', +'log drop hostile out' => 'Log dropped packets TO hostile networks', 'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking', 'log enabled' => 'Log Enabled', 'log level' => 'Log Level',
- In this v3 version of the patch set the splitting of drop hostile logging into incoming and outgoing logging means that the data collection and graphs need to have drop hostile also split into incoming and outgoing.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/collectd/collectd.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index 4ef34ea07..cc49f0ba7 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -51,7 +51,8 @@ include "/etc/collectd.precache" Chain filter POLICYOUT DROP_OUTPUT Chain filter POLICYIN DROP_INPUT Chain filter SPOOFED_MARTIAN DROP_SPOOFED_MARTIAN - Chain filter HOSTILE_DROP DROP_HOSTILE + Chain filter HOSTILE_DROP_IN DROP_HOSTILE + Chain filter HOSTILE_DROP_OUT DROP_HOSTILE </Plugin>
#<Plugin logfile>
- This v3 version of the patch set splits the single hostile networks graph entry into incoming hostile networks and outgoing hostile networks entries.
Fixes: bug12981 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/cfgroot/graphs.pl | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/config/cfgroot/graphs.pl b/config/cfgroot/graphs.pl index 9803dd124..f527447b5 100644 --- a/config/cfgroot/graphs.pl +++ b/config/cfgroot/graphs.pl @@ -693,7 +693,8 @@ sub updatefwhitsgraph { "DEF:newnotsyn=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-NEWNOTSYN/ipt_bytes-DROP_NEWNOTSYN.rrd:value:AVERAGE", "DEF:portscan=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-PSCAN/ipt_bytes-DROP_PScan.rrd:value:AVERAGE", "DEF:spoofedmartian=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-SPOOFED_MARTIAN/ipt_bytes-DROP_SPOOFED_MARTIAN.rrd:value:AVERAGE", - "DEF:hostile=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostilein=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_IN/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", + "DEF:hostileout=".$mainsettings{'RRDLOG'}."/collectd/localhost/iptables-filter-HOSTILE_DROP_OUT/ipt_bytes-DROP_HOSTILE.rrd:value:AVERAGE", "COMMENT:".sprintf("%-26s",$Lang::tr{'caption'}), "COMMENT:".sprintf("%15s",$Lang::tr{'maximal'}), "COMMENT:".sprintf("%15s",$Lang::tr{'average'}), @@ -729,11 +730,16 @@ sub updatefwhitsgraph { "GPRINT:spoofedmartian:AVERAGE:%8.1lf %sBps", "GPRINT:spoofedmartian:MIN:%8.1lf %sBps", "GPRINT:spoofedmartian:LAST:%8.1lf %sBps\j", - "STACK:hostile".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks'}), - "GPRINT:hostile:MAX:%8.1lf %sBps", - "GPRINT:hostile:AVERAGE:%8.1lf %sBps", - "GPRINT:hostile:MIN:%8.1lf %sBps", - "GPRINT:hostile:LAST:%8.1lf %sBps\j", + "STACK:hostilein".$color{"color13"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks in'}), + "GPRINT:hostilein:MAX:%8.1lf %sBps", + "GPRINT:hostilein:AVERAGE:%8.1lf %sBps", + "GPRINT:hostilein:MIN:%8.1lf %sBps", + "GPRINT:hostilein:LAST:%8.1lf %sBps\j", + "STACK:hostileout".$color{"color25"}."A0:".sprintf("%-25s",$Lang::tr{'hostile networks out'}), + "GPRINT:hostileout:MAX:%8.1lf %sBps", + "GPRINT:hostileout:AVERAGE:%8.1lf %sBps", + "GPRINT:hostileout:MIN:%8.1lf %sBps", + "GPRINT:hostileout:LAST:%8.1lf %sBps\j", ); $ERROR = RRDs::error; return "Error in RRD::graph for firewallhits: ".$ERROR."\n" if $ERROR;
- Moved the Firewall Options Drop commands to before the logging section, as discussed at January 2024 Video Call.
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- html/cgi-bin/optionsfw.cgi | 47 +++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 23 deletions(-)
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 52ac1b01e..60b1bdd91 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -224,6 +224,29 @@ END
<br>
+<table width='95%' cellspacing='0'> + <tr bgcolor='$color{'color20'}'> + <td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'drop hostile'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/ + <input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> +</table> +<br> + +<table width='95%' cellspacing='0'> +<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ + <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> +<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ + <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> +</table> +<br> + <table width='95%' cellspacing='0'> <tr bgcolor='$color{'color20'}'> <td colspan='2' align='left'><b>$Lang::tr{'fw logging'}</b></td> @@ -308,28 +331,6 @@ END </table> <br/>
-<table width='95%' cellspacing='0'> - <tr bgcolor='$color{'color20'}'> - <td colspan='2' align='left'><b>$Lang::tr{'fw red'}</b></td> - </tr> - <tr> - <td align='left' width='60%'>$Lang::tr{'drop hostile'}</td> - <td align='left'> - $Lang::tr{'on'} <input type='radio' name='DROPHOSTILE' value='on' $checked{'DROPHOSTILE'}{'on'} />/ - <input type='radio' name='DROPHOSTILE' value='off' $checked{'DROPHOSTILE'}{'off'} /> $Lang::tr{'off'} - </td> - </tr> -</table> -<br> - -<table width='95%' cellspacing='0'> -<tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw blue'}</b></td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop proxy'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPPROXY' value='on' $checked{'DROPPROXY'}{'on'} />/ - <input type='radio' name='DROPPROXY' value='off' $checked{'DROPPROXY'}{'off'} /> $Lang::tr{'off'}</td></tr> -<tr><td align='left' width='60%'>$Lang::tr{'drop samba'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='DROPSAMBA' value='on' $checked{'DROPSAMBA'}{'on'} />/ - <input type='radio' name='DROPSAMBA' value='off' $checked{'DROPSAMBA'}{'off'} /> $Lang::tr{'off'}</td></tr> -</table> -<br> <table width='95%' cellspacing='0'> <tr bgcolor='$color{'color20'}'><td colspan='2' align='left'><b>$Lang::tr{'fw settings'}</b></td></tr> <tr><td align='left' width='60%'>$Lang::tr{'fw settings color'}</td><td align='left'>$Lang::tr{'on'} <input type='radio' name='SHOWCOLORS' value='on' $checked{'SHOWCOLORS'}{'on'} />/
Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org Tested-by: Bernhard Bitsch bbitsch@ipfire.org
Am 21.01.2024 um 12:45 schrieb Adolf Belka:
- This v3 version has split the logging choice for drop hostile to separate the logging of incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway. However the logs were being swamped by the logging of drop hostile making analysis difficult. So incoming drop hostile was desired to not be logged. However logging of outgoing drop hostile was desired to identify if clients on the internal lan were infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be logged or not.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index fbff67b2f..52ac1b01e 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) { if (!$settings{'DROPHOSTILE'}) { $settings{'DROPHOSTILE'} = 'off'; } +if (!$settings{'LOGDROPHOSTILEIN'}) {
- $settings{'LOGDROPHOSTILEIN'} = 'on';
+} +if (!$settings{'LOGDROPHOSTILEOUT'}) {
- $settings{'LOGDROPHOSTILEOUT'} = 'on';
+} if (!$settings{'LOGDROPCTINVALID'}) { $settings{'LOGDROPCTINVALID'} = 'on'; } @@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec $checked{'DROPHOSTILE'}{'off'} = ''; $checked{'DROPHOSTILE'}{'on'} = ''; $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEIN'}{'off'} = ''; +$checked{'LOGDROPHOSTILEIN'}{'on'} = ''; +$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'"; +$checked{'LOGDROPHOSTILEOUT'}{'off'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{'on'} = ''; +$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'"; $checked{'LOGDROPCTINVALID'}{'off'} = ''; $checked{'LOGDROPCTINVALID'}{'on'} = ''; $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'"; @@ -279,6 +291,20 @@ END <input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'} </td>
</tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/ + <input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> + <tr> + <td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td> + <td align='left'> + $Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/ + <input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'} + </td> + </tr> </table> <br/>
-
Adolf Belka -
Bernhard Bitsch