I believe this is one for Peter.

This is more than aesthetic, because the log parser won't be able to parse those lines and there should only be garbage in the web UI.

I submitted a patch:

> https://patchwork.ipfire.org/project/ipfire/patch/20221007162116.90603-1-michael.tremer@ipfire.org/

just tested on:
APU4d4 
IPFire 2.27 (x86_64) - Core-Update 171

Did this patch not make it into CU 171?

On my IPFire 2.27 (x86_64) - Core-Update 171 system, it seems to "not" be working as desired per this log entry: 

Oct 22 16:15:43 ipfire kernel: BLKLST_BLOCKLIST_DEIN=red0 OUT= ...

(In reply to Jon from comment #3)
> Did this patch not make it into CU 171?

It did, but as a last minute change.

(In reply to Michael Tremer from comment #5)
> (In reply to Jon from comment #3)
> > Did this patch not make it into CU 171?
> 
> It did, but as a last minute change.

Still seeing the missing space condition ...

/etc/system-release:IPFire 2.27 (x86_64) - core171

Oct 26 08:52:13 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:52:29 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:52:34 ipfire kernel: BLKLST_BLOCKLIST_DEIN=red0 OUT= MAC=d0:
Oct 26 08:53:09 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:53:44 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:54:43 ipfire kernel: BLKLST_3CORESEC_BLACKLISTIN=red0 OUT= M
Oct 26 08:54:53 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:55:22 ipfire kernel: BLKLST_DSHIELDIN=red0 OUT= MAC=d0:37:45
Oct 26 08:57:08 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:57:48 ipfire kernel: BLKLST_3CORESEC_BLACKLISTIN=red0 OUT= M
Oct 26 08:58:14 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:58:16 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 08:59:44 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:00:04 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:01:00 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:01:20 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:01:47 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:02:40 ipfire kernel: BLKLST_DSHIELDIN=red0 OUT= MAC=d0:37:45
Oct 26 09:03:14 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:03:36 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:03:41 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:04:35 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:04:50 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:05:15 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:06:27 ipfire kernel: BLKLST_3CORESEC_BLACKLISTIN=red0 OUT= M
Oct 26 09:07:41 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:
Oct 26 09:08:38 ipfire kernel: BLKLST_CIARMYIN=red0 OUT= MAC=d0:37:45:

Could you please post a dump of your iptables ruleset?

Created attachment 1116 [details]
patch missing

The patch didn't make it into CU 171.

Here is my current rules file from CU 171:

# Check if logging is enabled.
if($blocklistsettings{'LOGGING'} eq "on") {
  # Create logging rule.
  run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");
			}

This patch:

> https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=dc84e16d4d058460febe9332435307d93d36d82e

Is part of the lastest build:

> https://git.ipfire.org/?p=ipfire-2.x.git;a=shortlog;h=refs/heads/core171

It is number 6 on the list.

Did rules.pl get shipped for cu171?


[root@ipfire /]# grep BLKLST /usr/lib/firewall/rules.pl
                                run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");

it looks like it is missing the quotes in the dump.  like this "BLKLST_TOR_ALL "


[root@ipfire ~] # iptables-save | grep BLKLST_
-A ALIENVAULT_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_ALIENVAULT
-A BLOCKLIST_DE_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_BLOCKLIST_DE
-A BOGON_FULL_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_BOGON_FULL
-A CIARMY_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_CIARMY
-A DSHIELD_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_DSHIELD
-A EMERGING_COMPROMISED_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_EMERGING_COMPROMISED
-A EMERGING_FWRULE_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_EMERGING_FWRULE
-A FEODO_AGGRESSIVE_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_FEODO_AGGRESSIVE
-A SHODAN_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_SHODAN
-A SPAMHAUS_DROP_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_SPAMHAUS_DROP
-A SPAMHAUS_EDROP_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_SPAMHAUS_EDROP
-A TOR_ALL_DROP -m limit --limit 10/sec -j LOG --log-prefix BLKLST_TOR_ALL

I just manually added the patch and now it seems to work ...

Oct 26 10:04:16 ipfire kernel: BLKLST_CIARMY IN=red0 OUT= MAC=d0:37

If I understand the code, the \"BLKLST_$blocklist\" "); should be more like this:


```
--log-prefix '$BLKLST_$blocklist '");
```


like the $CHAIN_OUTPUT or $CHAIN_INPUT



[root@ipfire ~] # cat /usr/lib/firewall/rules.pl | grep "log-prefix"

run("$IPTABLES -t nat -A $CHAIN_NAT_DESTINATION @nat_options @log_limit_options -j LOG --log-prefix 'DNAT '");

run("$IPTABLES -t nat -A $CHAIN_NAT_SOURCE @nat_options @snat_options @log_limit_options -j LOG --log-prefix 'SNAT '");

run("$IPTABLES -A $chain @options @source_intf_options @destination_intf_options @log_limit_options -j LOG --log-prefix '$chain '");

run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");

run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");

run("$IPTABLES -A ${blocklist}_DROP -j LOG -m limit --limit 10/second --log-prefix \"BLKLST_$blocklist\" ");

[root@ipfire ~] #

Jon, Michael

It seems the issue here is that rules.pl was not shipped ... or is somehow not getting properly deployed with the cu170 update.

-Charles

(In reply to Charles Brown from comment #14)
> Jon, Michael
> 
> It seems the issue here is that rules.pl was not shipped ... or is somehow
> not getting properly deployed with the cu170 update.
> 
> -Charles

Ugh, make that cu171 ...  :-)

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=44fc05f634ab3829ea368428845bd4d5412cc2a9

Indeed, while Core Update 171 shipped glibc, shipping the rules.pl file was omitted by mistake. Aforementioned patch now includes this file in Core Update 172, so this bug will be fixed on existing installations then.

Apologies for the delay, should have double-checked that before releasing Core Update 171.

https://blog.ipfire.org/post/ipfire-2-27-core-update-172-is-available-for-testing

https://blog.ipfire.org/post/ipfire-2-27-core-update-172-released

Created attachment 1129 [details]
my test env set-up

My APU test environment has no direct Internet connection.  It is connected to the DMZ of my production environment.

Can someone offer a detailed firewall rule example of how I can push all external internet trash to my test environment?

forgot to add - without the Internet trash coming in I do not received any BLKLST_* hits.  So I am unable to test at this time...

Took a shot and installed CU 172 stable.  All works great with the BLKLST_*!  Thank you!