In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.
However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.
This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.
Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
that it is about toggling _logging_, not the actual _dropping_. Other
variables are still in need of being renamed to clarify this, which
will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
config/rootfiles/core/164/update.sh for "master", since this patch has
been developed against "next". Kindly cherry-pick the necessary
changes.
Partially fixes: #12778
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
if [ "$(grep "^DROPSPOOFEDMARTIAN" /var/ipfire/optionsfw/settings)" == "" ]; then
echo "DROPSPOOFEDMARTIAN=on" >> /var/ipfire/optionsfw/settings
fi
if [ "$(grep "^DROPSPOOFEDMARTIAN" /var/ipfire/optionsfw/settings)" == "" ]; then
echo "DROPSPOOFEDMARTIAN=on" >> /var/ipfire/optionsfw/settings
fi
+if [ "$(grep "^LOGDROPCTINVALID" /var/ipfire/optionsfw/settings)" == "" ]; then
+ echo "LOGDROPCTINVALID=on" >> /var/ipfire/optionsfw/settings
+fi
# Apply sysctl changes
/etc/init.d/sysctl start
# Apply sysctl changes
/etc/init.d/sysctl start
###############################################################################
# #
# IPFire.org - A linux based firewall #
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2014-2021 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
$checked{'DROPHOSTILE'}{'off'} = '';
$checked{'DROPHOSTILE'}{'on'} = '';
$checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
$checked{'DROPHOSTILE'}{'off'} = '';
$checked{'DROPHOSTILE'}{'on'} = '';
$checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPCTINVALID'}{'off'} = '';
+$checked{'LOGDROPCTINVALID'}{'on'} = '';
+$checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
$checked{'DROPPROXY'}{'off'} = '';
$checked{'DROPPROXY'}{'on'} = '';
$checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
$checked{'DROPPROXY'}{'off'} = '';
$checked{'DROPPROXY'}{'on'} = '';
$checked{'DROPPROXY'}{$settings{'DROPPROXY'}} = "checked='checked'";
<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}
</td>
</tr>
<input type='radio' name='DROPNEWNOTSYN' value='off' $checked{'DROPNEWNOTSYN'}{'off'} /> $Lang::tr{'off'}
</td>
</tr>
+ <tr>
+ <td align='left' width='60%'>$Lang::tr{'log dropped conntrack invalids'}</td>
+ <td align='left'>
+ $Lang::tr{'on'} <input type='radio' name='LOGDROPCTINVALID' value='on' $checked{'LOGDROPCTINVALID'}{'on'} />/
+ <input type='radio' name='LOGDROPCTINVALID' value='off' $checked{'LOGDROPCTINVALID'}{'off'} /> $Lang::tr{'off'}
+ </td>
+ </tr>
<tr>
<td align='left' width='60%'>$Lang::tr{'drop input'}</td>
<td align='left'>
<tr>
<td align='left' width='60%'>$Lang::tr{'drop input'}</td>
<td align='left'>
'locationblock enable feature' => 'Location-basierte Filterung aktivieren:',
'locationblock flag' => 'Flagge',
'log' => 'Protokoll',
'locationblock enable feature' => 'Location-basierte Filterung aktivieren:',
'locationblock flag' => 'Flagge',
'log' => 'Protokoll',
+'log dropped conntrack invalids' => 'Verworfene, von der Verbindungsverfolgung als INVALID eingestufte Pakete protokollieren',
'log enabled' => 'Protokoll aktiviert',
'log level' => 'Protokollierungsniveau',
'log lines per page' => 'Zeilen pro Seite',
'log enabled' => 'Protokoll aktiviert',
'log level' => 'Protokollierungsniveau',
'log lines per page' => 'Zeilen pro Seite',
'locationblock enable feature' => 'Enable Location based blocking:',
'locationblock flag' => 'Flag',
'log' => 'Log',
'locationblock enable feature' => 'Enable Location based blocking:',
'locationblock flag' => 'Flag',
'log' => 'Log',
+'log dropped conntrack invalids' => 'Log dropped packets classified as INVALID by connection tracking',
'log enabled' => 'Log Enabled',
'log level' => 'Log Level',
'log lines per page' => 'Lines per page',
'log enabled' => 'Log Enabled',
'log level' => 'Log Level',
'log lines per page' => 'Lines per page',
echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPSPOOFEDMARTIAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPHOSTILE=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPWIRELESSFORWARD=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPSPOOFEDMARTIAN=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "DROPHOSTILE=on" >> $(CONFIG_ROOT)/optionsfw/settings
+ echo "LOGDROPCTINVALID=on" >> $(CONFIG_ROOT)/optionsfw/settings
echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
echo "POLICY=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "POLICY1=MODE2" >> $(CONFIG_ROOT)/firewall/settings
echo "USE_ISP_NAMESERVERS=on" >> $(CONFIG_ROOT)/dns/settings
# Connection tracking chains
iptables -N CTINVALID
# Connection tracking chains
iptables -N CTINVALID
- iptables -A CTINVALID -m limit --limit 10/second -j LOG --log-prefix "DROP_CTINVALID "
+ if [ "$LOGDROPCTINVALID" == "on" ]; then
+ iptables -A CTINVALID -m limit --limit 10/second -j LOG --log-prefix "DROP_CTINVALID "
+ fi
iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID"
iptables -N CONNTRACK
iptables -A CTINVALID -j DROP -m comment --comment "DROP_CTINVALID"
iptables -N CONNTRACK