]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5c1af49)
firewall: Make logging of conntrack INVALIDs configureable
authorPeter Müller <peter.mueller@ipfire.org>
Fri, 18 Feb 2022 22:40:55 +0000 (22:40 +0000)
committerArne Fitzenreiter <arne_f@ipfire.org>
Sat, 19 Feb 2022 15:37:16 +0000 (15:37 +0000)
In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.

However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.

This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.

Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
  that it is about toggling _logging_, not the actual _dropping_. Other
  variables are still in need of being renamed to clarify this, which
  will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
  config/rootfiles/core/164/update.sh for "master", since this patch has
  been developed against "next". Kindly cherry-pick the necessary
  changes.

Partially fixes: #12778

Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
config/rootfiles/core/164/update.sh patch | blob | blame | history
html/cgi-bin/optionsfw.cgi patch | blob | blame | history
langs/de/cgi-bin/de.pl patch | blob | blame | history
langs/en/cgi-bin/en.pl patch | blob | blame | history
lfs/configroot patch | blob | blame | history
src/initscripts/system/firewall patch | blob | blame | history

diff --git a/config/rootfiles/core/164/update.sh b/config/rootfiles/core/164/update.sh
index e6847359c097cacaa2c28da5b00320707ecf90cc..05f2a03e47f883f4a3092f96ea29b07c8adf340a 100644 (file)
--- a/config/rootfiles/core/164/update.sh
+++ b/config/rootfiles/core/164/update.sh
@@ -107,6 +107,9 @@ fi
 if [ "$(grep "^DROPSPOOFEDMARTIAN" /var/ipfire/optionsfw/settings)" == "" ]; then
        echo "DROPSPOOFEDMARTIAN=on" >> /var/ipfire/optionsfw/settings
 fi
+if [ "$(grep "^LOGDROPCTINVALID" /var/ipfire/optionsfw/settings)" == "" ]; then
+       echo "LOGDROPCTINVALID=on" >> /var/ipfire/optionsfw/settings
+fi
 
 # Apply sysctl changes
 /etc/init.d/sysctl start
diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index 481d5bdbd266dd7c62f2fbb53c1ce1d8661819af..5611b71b7e0e2322d1da77569820365e4d6c9fa4 100644 (file)
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2014-2021  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -116,6 +116,9 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
 $checked{'DROPHOSTILE'}{'off'} = '';
 $checked{'DROPHOSTILE'}{'on'} = '';
 $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPCTINVALID'}{'off'} = '';
+$checked{'LOGDROPCTINVALID'}{'on'} = '';
+$checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
 $checked{'DROPPROXY'}{'off'} = '';
 $checked{'DROPPROXY'}{'on'} = '';
 $checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
@@ -211,6 +214,13 @@ END
                        <input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}
                </td>
        </tr>
+       <tr>
+               <td align='left' width='60%'>$Lang::tr{'log dropped conntrack invalids'}</td>
+               <td align='left'>
+                       $Lang::tr{'on'} <input type='radio' name='LOGDROPCTINVALID' value='on' $checked{'LOGDROPCTINVALID'}{'on'} />/
+                       <input type='radio' name='LOGDROPCTINVALID' value='off' $checked{'LOGDROPCTINVALID'}{'off'} /> $Lang::tr{'off'}
+               </td>
+       </tr>
        <tr>
                <td align='left' width='60%'>$Lang::tr{'drop input'}</td>
                <td align='left'>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cf34fd86eeede2b9232a9146a0778151dbfab764..93aaff203d60290f36a5e94496ea5b204f836486 100644 (file)
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1603,6 +1603,7 @@
 'locationblock enable feature' => 'Location-basierte Filterung aktivieren:',
 'locationblock flag' => 'Flagge',
 'log' => 'Protokoll',
+'log dropped conntrack invalids' => 'Verworfene, von der Verbindungsverfolgung als INVALID eingestufte Pakete protokollieren',
 'log enabled' => 'Protokoll aktiviert',
 'log level' => 'Protokollierungsniveau',
 'log lines per page' => 'Zeilen pro Seite',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b170647139b9a8657048a12b450013e64fb1b7f9..f534a49bdc122407cbadabc8b9e0c3775824e606 100644 (file)
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1651,6 +1651,7 @@
 'locationblock enable feature' => 'Enable Location based blocking:',
 'locationblock flag' => 'Flag',
 'log' => 'Log',
+'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking',
 'log enabled' => 'Log Enabled',
 'log level' => 'Log Level',
 'log lines per page' => 'Lines per page',
diff --git a/lfs/configroot b/lfs/configroot
index 9f3188aab9e28b29c134eca51a56dc1d9f37ac2f..ed264e72ba31cb10cf60ca37f3d6427243169ed1 100644 (file)
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -132,6 +132,7 @@ $(TARGET) :
        echo  "DROPWIRELESSFORWARD=on"  >> $(CONFIG_ROOT)/optionsfw/settings
        echo  "DROPSPOOFEDMARTIAN=on"   >> $(CONFIG_ROOT)/optionsfw/settings
        echo  "DROPHOSTILE=on"          >> $(CONFIG_ROOT)/optionsfw/settings
+       echo  "LOGDROPCTINVALID=on"     >> $(CONFIG_ROOT)/optionsfw/settings
        echo  "POLICY=MODE2"            >> $(CONFIG_ROOT)/firewall/settings
        echo  "POLICY1=MODE2"           >> $(CONFIG_ROOT)/firewall/settings
        echo  "USE_ISP_NAMESERVERS=on"  >> $(CONFIG_ROOT)/dns/settings
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2f4b4e30ed48ab4f409eb18da870309589254675..f0b7d70ff73393e5b6c28d7f9e70ea1d81903173 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -120,7 +120,9 @@ iptables_init() {
 
        # Connection tracking chains
        iptables -N CTINVALID
-       iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       if [ "$LOGDROPCTINVALID" == "on" ]; then
+               iptables -A CTINVALID  -m limit --limit 10/second -j LOG  --log-prefix "DROP_CTINVALID "
+       fi
        iptables -A CTINVALID  -j DROP -m comment --comment "DROP_CTINVALID"
 
        iptables -N CONNTRACK
IPFire 2.x development tree