From 9f60aa96795f8a9f6131c3350f96911ad4dcc389 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 7 Nov 2018 12:29:19 +0000
Subject: [PATCH] syslog: Listen to network and block access from anywhere but
 localhost

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/firewall/firewall-policy | 12 ++++++++++++
 src/initscripts/system/sysklogd |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/config/firewall/firewall-policy b/config/firewall/firewall-policy
index c0a526f225..078c3c515c 100755
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,18 @@ HAVE_OPENVPN="true"
 
 # INPUT
 
+# Drop syslog from anywhere but localhost
+# sysklogd cannot bind to specific interface and therefore we need to
+# block access by adding firewall rules
+case "${FWPOLICY}" in
+	REJECT)
+		iptables -A POLICYIN -p udp --dport 514 -j REJECT --reject-with icmp-host-unreachable
+		;;
+	*)
+		iptables -A POLICYIN -p udp --dport 514 -j DROP
+		;;
+esac
+
 # Allow access from GREEN
 if [ -n "${GREEN_DEV}" ]; then
 	iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
diff --git a/src/initscripts/system/sysklogd b/src/initscripts/system/sysklogd
index 4482559b3b..90fe851dec 100644
--- a/src/initscripts/system/sysklogd
+++ b/src/initscripts/system/sysklogd
@@ -21,7 +21,7 @@ case "${1}" in
 		loadproc klogd -c 1
 
 		boot_mesg "Starting system log daemon..."
-		loadproc syslogd -m 0
+		loadproc syslogd -m 0 -r
 
 		boot_mesg "Saving Bootlog..."
 		if [ -e /var/log/bootlog ]; then
-- 
2.39.2