Bug 12934

Summary: message log missing space for blocklist items (e.g., BLKLST_BOGON, BLKLST_CIARMY)
Product: IPFire Reporter: Jon <jon.murphy>
Component: ---Assignee: Michael Tremer <michael.tremer>
Status: CLOSED FIXED QA Contact:
Severity: - Unknown -    
Priority: - Unknown - CC: cab_77573, michael.tremer, peter.mueller
Version: 2   
Hardware: unspecified   
OS: Unspecified   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=12949
Attachments: patch missing
my test env set-up

Description Jon 2022-09-19 02:03:03 UTC
Very picky small item.  There is a space missing between the BLKLST_BOGON and the IN.  

I only see 4 of the blocklist items in my message log and I see this in all four items.

IPFire 2.27 (x86_64) - Core-Update 170 (stable)


```
cat /var/log/messages | grep "kernel:"
. . .
Sep 18 20:43:40 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC= 
Sep 18 20:43:46 ipfire kernel: BLKLST_BOGONIN=green0 OUT=red0 MAC= 
Sep 18 20:43:51 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC= 
Sep 18 20:43:55 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC= 
Sep 18 20:43:56 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC= 
Sep 18 20:44:04 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC= 
Sep 18 20:44:10 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC= 
Sep 18 20:44:11 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC= 
Sep 18 20:44:13 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC= 
Sep 18 20:44:16 ipfire kernel: BLKLST_BOGONIN=green0 OUT=red0 MAC= 
Sep 18 20:44:21 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC= 
Sep 18 20:44:30 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC= 
Sep 18 20:44:33 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC= 
Sep 18 20:44:46 ipfire kernel: BLKLST_BOGONIN=green0 OUT=red0 MAC=
Sep 18 20:45:01 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=
Sep 18 20:45:15 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC=
Sep 18 20:45:16 ipfire kernel: BLKLST_BOGONIN=green0 OUT=red0 MAC=
Sep 18 20:45:22 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC=
Sep 18 20:45:46 ipfire kernel: BLKLST_BOGONIN=green0 OUT=red0 MAC=
Sep 18 20:45:59 ipfire kernel: DROP_HOSTILE IN=red0 OUT= MAC=
Sep 18 20:46:16 ipfire kernel: BLKLST_BOGONIN=green0 OUT=red0 MAC=
```
Comment 1 Michael Tremer 2022-09-19 07:24:22 UTC
I believe this is one for Peter.

This is more than aesthetic, because the log parser won't be able to parse those lines and there should only be garbage in the web UI.
Comment 3 Jon 2022-10-22 14:56:50 UTC
just tested on:
APU4d4 
IPFire 2.27 (x86_64) - Core-Update 171

Did this patch not make it into CU 171?
Comment 4 Charles Brown 2022-10-22 21:57:32 UTC
On my IPFire 2.27 (x86_64) - Core-Update 171 system, it seems to "not" be working as desired per this log entry: 

Oct 22 16:15:43 ipfire kernel: BLKLST_BLOCKLIST_DEIN=red0 OUT= ...
Comment 5 Michael Tremer 2022-10-26 14:16:50 UTC
(In reply to Jon from comment #3)
> Did this patch not make it into CU 171?

It did, but as a last minute change.
Comment 6 Charles Brown 2022-10-26 14:30:20 UTC
(In reply to Michael Tremer from comment #5)
> (In reply to Jon from comment #3)
> > Did this patch not make it into CU 171?
> 
> It did, but as a last minute change.

Still seeing the missing space condition ...

/etc/system-release:IPFire 2.27 (x86_64) - core171

Oct 26 08:52:13 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:52:29 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:52:34 ipfire kernel: BLKLST_BLOCKLIST_DEIN=red0 OUT= MAC=d0:
Oct 26 08:53:09 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:53:44 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:54:43 ipfire kernel: BLKLST_3CORESEC_BLACKLISTIN=red0 OUT= M
Oct 26 08:54:53 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:55:22 ipfire kernel: BLKLST_DSHIELDIN=red0 OUT= MAC=d0:37:45
Oct 26 08:57:08 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:57:48 ipfire kernel: BLKLST_3CORESEC_BLACKLISTIN=red0 OUT= M
Oct 26 08:58:14 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:58:16 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:59:44 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:00:04 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:01:00 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:01:20 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:01:47 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:02:40 ipfire kernel: BLKLST_DSHIELDIN=red0 OUT= MAC=d0:37:45
Oct 26 09:03:14 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:03:36 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:03:41 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:04:35 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:04:50 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:05:15 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:06:27 ipfire kernel: BLKLST_3CORESEC_BLACKLISTIN=red0 OUT= M
Oct 26 09:07:41 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:08:38 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Comment 7 Michael Tremer 2022-10-26 14:31:09 UTC
Could you please post a dump of your iptables ruleset?
Comment 8 Jon 2022-10-26 14:39:06 UTC
Created attachment 1116 [details]
patch missing

The patch didn't make it into CU 171.

Here is my current rules file from CU 171:

# Check if logging is enabled.
if($blocklistsettings{'LOGGING'} eq "on") {
  # Create logging rule.
  run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");
			}
Comment 10 Charles Brown 2022-10-26 14:56:26 UTC
Did rules.pl get shipped for cu171?


[root@ipfire /]# grep BLKLST /usr/lib/firewall/rules.pl
                                run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");
Comment 11 Jon 2022-10-26 14:57:54 UTC
it looks like it is missing the quotes in the dump.  like this "BLKLST_TOR_ALL "


[root@ipfire ~] # iptables-save | grep BLKLST_
-A ALIENVAULT_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_ALIENVAULT
-A BLOCKLIST_DE_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_BLOCKLIST_DE
-A BOGON_FULL_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_BOGON_FULL
-A CIARMY_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_CIARMY
-A DSHIELD_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_DSHIELD
-A EMERGING_COMPROMISED_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_EMERGING_COMPROMISED
-A EMERGING_FWRULE_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_EMERGING_FWRULE
-A FEODO_AGGRESSIVE_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_FEODO_AGGRESSIVE
-A SHODAN_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_SHODAN
-A SPAMHAUS_DROP_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_SPAMHAUS_DROP
-A SPAMHAUS_EDROP_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_SPAMHAUS_EDROP
-A TOR_ALL_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_TOR_ALL
Comment 12 Charles Brown 2022-10-26 15:05:01 UTC
I just manually added the patch and now it seems to work ...

Oct 26 10:04:16 ipfire kernel: BLKLST_CIARMY IN=red0 OUT= MAC=d0:37
Comment 13 Jon 2022-10-26 15:07:53 UTC
If I understand the code, the \"BLKLST_$blocklist\" "); should be more like this:


```
--log-prefix '$BLKLST_$blocklist '");
```


like the $CHAIN_OUTPUT or $CHAIN_INPUT



[root@ipfire ~] # cat /usr/lib/firewall/rules.pl | grep "log-prefix"

run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '");

run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");

run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");

run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");

run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");

run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");

[root@ipfire ~] #
Comment 14 Charles Brown 2022-10-26 16:01:58 UTC
Jon, Michael

It seems the issue here is that rules.pl was not shipped ... or is somehow not getting properly deployed with the cu170 update.

-Charles
Comment 15 Charles Brown 2022-10-26 16:03:45 UTC
(In reply to Charles Brown from comment #14)
> Jon, Michael
> 
> It seems the issue here is that rules.pl was not shipped ... or is somehow
> not getting properly deployed with the cu170 update.
> 
> -Charles

Ugh, make that cu171 ...  :-)
Comment 16 Peter Müller 2022-10-29 09:07:03 UTC
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=44fc05f634ab3829ea368428845bd4d5412cc2a9

Indeed, while Core Update 171 shipped glibc, shipping the rules.pl file was omitted by mistake. Aforementioned patch now includes this file in Core Update 172, so this bug will be fixed on existing installations then.

Apologies for the delay, should have double-checked that before releasing Core Update 171.
Comment 19 Jon 2022-12-29 20:24:17 UTC
Created attachment 1129 [details]
my test env set-up

My APU test environment has no direct Internet connection.  It is connected to the DMZ of my production environment.

Can someone offer a detailed firewall rule example of how I can push all external internet trash to my test environment?
Comment 20 Jon 2022-12-29 20:26:01 UTC
forgot to add - without the Internet trash coming in I do not received any BLKLST_* hits.  So I am unable to test at this time...
Comment 21 Jon 2022-12-30 19:05:40 UTC
Took a shot and installed CU 172 stable.  All works great with the BLKLST_*!  Thank you!