From 189a0405624018f730071973ea59d38f7e54c444 Mon Sep 17 00:00:00 2001
From: Adolf Belka <adolf.belka@ipfire.org>
Date: Sun, 21 Jan 2024 12:45:47 +0100
Subject: [PATCH] optionsfw.cgi: Fix bug12981 - Add option to log or not log
 dropped hostile traffic

- This v3 version has split the logging choice for drop hostile to separate the logging of
   incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
   However the logs were being swamped by the logging of drop hostile making analysis
   difficult. So incoming drop hostile was desired to not be logged. However logging of
   outgoing drop hostile was desired to identify if clients on the internal lan were
   infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
   logged or not.

Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka@ipfire.org
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/optionsfw.cgi | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi
index fbff67b2f9..52ac1b01e6 100644
--- a/html/cgi-bin/optionsfw.cgi
+++ b/html/cgi-bin/optionsfw.cgi
@@ -94,6 +94,12 @@ if (!$settings{'DROPSPOOFEDMARTIAN'}) {
 if (!$settings{'DROPHOSTILE'}) {
 	$settings{'DROPHOSTILE'} = 'off';
 }
+if (!$settings{'LOGDROPHOSTILEIN'}) {
+	$settings{'LOGDROPHOSTILEIN'} = 'on';
+}
+if (!$settings{'LOGDROPHOSTILEOUT'}) {
+	$settings{'LOGDROPHOSTILEOUT'} = 'on';
+}
 if (!$settings{'LOGDROPCTINVALID'}) {
 	$settings{'LOGDROPCTINVALID'} = 'on';
 }
@@ -125,6 +131,12 @@ $checked{'DROPSPOOFEDMARTIAN'}{$settings{'DROPSPOOFEDMARTIAN'}} = "checked='chec
 $checked{'DROPHOSTILE'}{'off'} = '';
 $checked{'DROPHOSTILE'}{'on'} = '';
 $checked{'DROPHOSTILE'}{$settings{'DROPHOSTILE'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEIN'}{'off'} = '';
+$checked{'LOGDROPHOSTILEIN'}{'on'} = '';
+$checked{'LOGDROPHOSTILEIN'}{$settings{'LOGDROPHOSTILEIN'}} = "checked='checked'";
+$checked{'LOGDROPHOSTILEOUT'}{'off'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{'on'} = '';
+$checked{'LOGDROPHOSTILEOUT'}{$settings{'LOGDROPHOSTILEOUT'}} = "checked='checked'";
 $checked{'LOGDROPCTINVALID'}{'off'} = '';
 $checked{'LOGDROPCTINVALID'}{'on'} = '';
 $checked{'LOGDROPCTINVALID'}{$settings{'LOGDROPCTINVALID'}} = "checked='checked'";
@@ -279,6 +291,20 @@ END
 			<input type='radio' name='DROPSPOOFEDMARTIAN' value='off' $checked{'DROPSPOOFEDMARTIAN'}{'off'} /> $Lang::tr{'off'}
 		</td>
 	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile in'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEIN' value='on' $checked{'LOGDROPHOSTILEIN'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILEIN' value='off' $checked{'LOGDROPHOSTILEIN'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
+	<tr>
+		<td align='left' width='60%'>$Lang::tr{'log drop hostile out'}</td>
+		<td align='left'>
+			$Lang::tr{'on'} <input type='radio' name='LOGDROPHOSTILEOUT' value='on' $checked{'LOGDROPHOSTILEOUT'}{'on'} />/
+			<input type='radio' name='LOGDROPHOSTILEOUT' value='off' $checked{'LOGDROPHOSTILEOUT'}{'off'} /> $Lang::tr{'off'}
+		</td>
+	</tr>
 </table>
 <br/>
 
-- 
2.39.5