Bug 12850 - DROP_HOSTILE IN= log message with no IN= results for green & blue
Summary: DROP_HOSTILE IN= log message with no IN= results for green & blue
Status: CLOSED NOTABUG
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: unspecified Unspecified
: - Unknown - - Unknown -
Assignee: Assigned to nobody - feel free to grab it and work on it
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-14 18:24 UTC by Jon
Modified: 2022-04-19 10:11 UTC (History)
2 users (show)

See Also:


Attachments
Log (359.04 KB, image/png)
2022-04-15 16:55 UTC, Jon
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jon 2022-04-14 18:24:28 UTC
no IN= network info displayed in DROP_HOSTILE log message:

Apr 14 11:02:56 ipfire kernel: DROP_HOSTILE IN= OUT=red0 SRC=73.nnn.nnn.nnn DST=45.9.148.44 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=19320 DF PROTO=TCP SPT=46056 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 


see:
https://community.ipfire.org/t/location-block-vs-drop-packets-from-and-to-hostile-networks-listed-at-spamhaus-drop-etc/7434/12?u=jon
Comment 1 Michael Tremer 2022-04-14 18:26:31 UTC
This probably isn't a bug. It is just a packet that originated from the firewall and therefore does not have an IN= interface.

This is most likely the web proxy since it is port 80.
Comment 2 Jon 2022-04-14 21:59:20 UTC
it was me!

I opened a browser and entered `my-authentication-x322s[.]com` just to test.


See:
https://community.ipfire.org/t/location-block-vs-drop-packets-from-and-to-hostile-networks-listed-at-spamhaus-drop-etc/7434/10?u=jon
Comment 3 Michael Tremer 2022-04-15 07:21:04 UTC
So this is NOTABUG?
Comment 4 Jon 2022-04-15 16:31:08 UTC
I think it is a bug since IN=<blank>.

It should be IN=green0.

I am hoping Peter will chime in!
Comment 5 Jon 2022-04-15 16:55:22 UTC
Created attachment 1038 [details]
Log

Just found this.  

When I open a Safari browser and enter:
`http://my-authentication-x322s.com`
then IN=<blank>


When I open a Safari browser and enter HTTPS (not HTTP):
`https://my-authentication-x322s.com`
then IN=green0
Comment 6 Michael Tremer 2022-04-19 10:11:43 UTC
(In reply to Jon from comment #4)
> I think it is a bug since IN=<blank>.
> 
> It should be IN=green0.

No, it should not. The proxy is opening a new connection which originates from the firewall itself. It might be logically tied to the connection that your browser has to the proxy, but that does not matter to the firewall.

The reason why you don't see this for HTTPS is that your proxy is in transparent mode which does not handle HTTPS.