syslog: Listen to network and block access from anywhere but localhost
authorMichael Tremer <michael.tremer@ipfire.org>
Wed, 7 Nov 2018 12:29:19 +0000 (12:29 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Wed, 7 Nov 2018 20:07:53 +0000 (20:07 +0000)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/firewall/firewall-policy
src/initscripts/system/sysklogd

index c0a526f..078c3c5 100755 (executable)
@@ -57,6 +57,18 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Drop syslog from anywhere but localhost
+# sysklogd cannot bind to specific interface and therefore we need to
+# block access by adding firewall rules
+case "${FWPOLICY}" in
+       REJECT)
+               iptables -A POLICYIN -p udp --dport 514 -j REJECT --reject-with icmp-host-unreachable
+               ;;
+       *)
+               iptables -A POLICYIN -p udp --dport 514 -j DROP
+               ;;
+esac
+
 # Allow access from GREEN
 if [ -n "${GREEN_DEV}" ]; then
        iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
index 4482559..90fe851 100644 (file)
@@ -21,7 +21,7 @@ case "${1}" in
                loadproc klogd -c 1
 
                boot_mesg "Starting system log daemon..."
-               loadproc syslogd -m 0
+               loadproc syslogd -m 0 -r
 
                boot_mesg "Saving Bootlog..."
                if [ -e /var/log/bootlog ]; then