Add independent logging choices to disable logging of bogon network rules and private network rules. Add upgrade code to obey the existing behavior for users (if default block logging was disabled, so is bogon/private rule blocking). Also add a checkbox to disable the lighttpd log for people who don't want their system log spammed by lighty.

4 files changed, 36 insertions, 11 deletions

diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
index da59a6a..cbb5e79 100644
--- a/etc/inc/filter.inc
+++ b/etc/inc/filter.inc
@@ -2606,17 +2606,22 @@ EOD;
 		/* block bogon networks */
 		/* http://www.cymru.com/Documents/bogon-bn-nonagg.txt */
 		/* file is automatically in cron every 3000 minutes */
+		if(!isset($config['syslog']['nologbogons']))
+			$bogonlog = "log";
+		else
+			$bogonlog = "";
+
 		if(isset($config['interfaces'][$on]['blockbogons'])) {
 			$ipfrules .= <<<EOD
 # block bogon networks
 # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
 # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
-block in $log quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}"
+block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}"
 
 EOD;
 			if(isset($config['system']['ipv6allow'])) {
 				$ipfrules .= <<<EOD
-block in $log quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}"
+block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}"
 
 EOD;
 			}
@@ -2633,17 +2638,22 @@ EOD;
 		if($oc['ip'] && !($isbridged) && isset($oc['spoofcheck']))
 			$ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log);
 		/* block private networks ? */
+		if(!isset($config['syslog']['nologprivatenets']))
+			$privnetlog = "log";
+		else
+			$privnetlog = "";
+
 		if(isset($config['interfaces'][$on]['blockpriv'])) {
 			if($isbridged == false) {
 				$ipfrules .= <<<EOD
 # block anything from private networks on interfaces with the option set
 antispoof for \${$oc['descr']}
-block in $log quick on \${$oc['descr']} from 10.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 10/8"
-block in $log quick on \${$oc['descr']} from 127.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 127/8"
-block in $log quick on \${$oc['descr']} from 100.64.0.0/10 to any label "Block private networks from {$oc['descr']} block 100.64/10"
-block in $log quick on \${$oc['descr']} from 172.16.0.0/12 to any label "Block private networks from {$oc['descr']} block 172.16/12"
-block in $log quick on \${$oc['descr']} from 192.168.0.0/16 to any label "Block private networks from {$oc['descr']} block 192.168/16"
-block in $log quick on \${$oc['descr']} from fc00::/7 to any label "Block ULA networks from {$oc['descr']} block fc00::/7"
+block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 10/8"
+block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 127/8"
+block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "Block private networks from {$oc['descr']} block 100.64/10"
+block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "Block private networks from {$oc['descr']} block 172.16/12"
+block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "Block private networks from {$oc['descr']} block 192.168/16"
+block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "Block ULA networks from {$oc['descr']} block fc00::/7"
 
 EOD;
 			}
diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc
index a8871b4..cfea703 100644
--- a/etc/inc/globals.inc
+++ b/etc/inc/globals.inc
@@ -71,7 +71,7 @@ $g = array(
 	"disablecrashreporter" => false,
 	"crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php",
 	"debug" => false,
-	"latest_config" => "9.6",
+	"latest_config" => "9.7",
 	"nopkg_platforms" => array("cdrom"),
 	"minimum_ram_warning" => "101",
 	"minimum_ram_warning_text" => "128 MB",
diff --git a/etc/inc/system.inc b/etc/inc/system.inc
index bbf0180..7674e14 100644
--- a/etc/inc/system.inc
+++ b/etc/inc/system.inc
@@ -904,6 +904,14 @@ function system_generate_lighty_config($filename,
 	else
 		$fast_cgi_path = "{$g['tmp_path']}/php-fastcgi.socket";
 
+	if(!isset($config['syslog']['nologlighttpd'])) {
+		$lighty_use_syslog = <<<EOD
+## where to send error-messages to
+server.errorlog-use-syslog="enable"
+EOD;
+	}
+
+
 	$fastcgi_config = <<<EOD
 #### fastcgi module
 ## read fastcgi.txt for more info
@@ -952,8 +960,7 @@ server.document-root        = "{$document_root}"
 # Maximum idle time with nothing being written (php downloading)
 server.max-write-idle = 999
 
-## where to send error-messages to
-server.errorlog-use-syslog="enable"
+{$lighty_use_syslog}
 
 # files to check for if .../ is requested
 server.indexfiles           = ( "index.php", "index.html",
diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc
index fad204e..f7c5240 100644
--- a/etc/inc/upgrade_config.inc
+++ b/etc/inc/upgrade_config.inc
@@ -3111,4 +3111,12 @@ function upgrade_095_to_096() {
 	enable_rrd_graphing();
 }
 
+function upgrade_096_to_097() {
+	global $config, $g;
+	/* If the user had disabled default block rule logging before, then bogon/private network logging was already off, so respect their choice. */
+	if (isset($config['syslog']['nologdefaultblock'])) {
+		$config['syslog']['nologbogons'] = true;
+		$config['syslog']['nologprivatenets'] = true;
+	}
+}
 ?>