Bug 12850

Summary: DROP_HOSTILE IN= log message with no IN= results for green & blue
Product: IPFire Reporter: Jon <jon.murphy>
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: CLOSED NOTABUG QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: michael.tremer, peter.mueller
Version: 2   
Hardware: unspecified   
OS: Unspecified   
Attachments: Log

Description Jon 2022-04-14 18:24:28 UTC
no IN= network info displayed in DROP_HOSTILE log message:

Apr 14 11:02:56 ipfire kernel: DROP_HOSTILE IN= OUT=red0 SRC=73.nnn.nnn.nnn DST=45.9.148.44 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19320 DF PROTO=TCP SPT=46056 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 


see:
https://community.ipfire.org/t/location-block-vs-drop-packets-from-and-to-hostile-networks-listed-at-spamhaus-drop-etc/7434/12?u=jon
Comment 1 Michael Tremer 2022-04-14 18:26:31 UTC
This probably isn't a bug. It is just a packet that originated from the firewall and therefore does not have an IN= interface.

This is most likely the web proxy since it is port 80.
Comment 2 Jon 2022-04-14 21:59:20 UTC
it was me!

I opened a browser and entered `my-authentication-x322s[.]com` just to test.


See:
https://community.ipfire.org/t/location-block-vs-drop-packets-from-and-to-hostile-networks-listed-at-spamhaus-drop-etc/7434/10?u=jon
Comment 3 Michael Tremer 2022-04-15 07:21:04 UTC
So this is NOTABUG?
Comment 4 Jon 2022-04-15 16:31:08 UTC
I think it is a bug since IN=<blank>.

It should be IN=green0.

I am hoping Peter will chime in!
Comment 5 Jon 2022-04-15 16:55:22 UTC
Created attachment 1038 [details]
Log

Just found this.  

When I open a Safari browser and enter:
`http://my-authentication-x322s.com`
then IN=<blank>


When I open a Safari browser and enter HTTPS (not HTTP):
`https://my-authentication-x322s.com`
then IN=green0
Comment 6 Michael Tremer 2022-04-19 10:11:43 UTC
(In reply to Jon from comment #4)
> I think it is a bug since IN=<blank>.
> 
> It should be IN=green0.

No, it should not. The proxy is opening a new connection which originates from the firewall itself. It might be logically tied to the connection that your browser has to the proxy, but that does not matter to the firewall.

The reason why you don't see this for HTTPS is that your proxy is in transparent mode which does not handle HTTPS.