diff options
-rw-r--r-- | etc/inc/filter.inc | 26 | ||||
-rw-r--r-- | etc/inc/globals.inc | 2 | ||||
-rw-r--r-- | etc/inc/system.inc | 11 | ||||
-rw-r--r-- | etc/inc/upgrade_config.inc | 8 | ||||
-rwxr-xr-x | usr/local/www/diag_logs_settings.php | 47 |
5 files changed, 75 insertions, 19 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index c562be2..699ef96 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -2613,17 +2613,22 @@ EOD; /* block bogon networks */ /* http://www.cymru.com/Documents/bogon-bn-nonagg.txt */ /* file is automatically in cron every 3000 minutes */ + if(!isset($config['syslog']['nologbogons'])) + $bogonlog = "log"; + else + $bogonlog = ""; + if(isset($config['interfaces'][$on]['blockbogons'])) { $ipfrules .= <<<EOD # block bogon networks # http://www.cymru.com/Documents/bogon-bn-nonagg.txt # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt -block in $log quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}" +block in $bogonlog quick on \${$oc['descr']} from <bogons> to any label "block bogon IPv4 networks from {$oc['descr']}" EOD; if(isset($config['system']['ipv6allow'])) { $ipfrules .= <<<EOD -block in $log quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}" +block in $bogonlog quick on \${$oc['descr']} from <bogonsv6> to any label "block bogon IPv6 networks from {$oc['descr']}" EOD; } @@ -2640,17 +2645,22 @@ EOD; if($oc['ip'] && !($isbridged) && isset($oc['spoofcheck'])) $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); /* block private networks ? */ + if(!isset($config['syslog']['nologprivatenets'])) + $privnetlog = "log"; + else + $privnetlog = ""; + if(isset($config['interfaces'][$on]['blockpriv'])) { if($isbridged == false) { $ipfrules .= <<<EOD # block anything from private networks on interfaces with the option set antispoof for \${$oc['descr']} -block in $log quick on \${$oc['descr']} from 10.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 10/8" -block in $log quick on \${$oc['descr']} from 127.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 127/8" -block in $log quick on \${$oc['descr']} from 100.64.0.0/10 to any label "Block private networks from {$oc['descr']} block 100.64/10" -block in $log quick on \${$oc['descr']} from 172.16.0.0/12 to any label "Block private networks from {$oc['descr']} block 172.16/12" -block in $log quick on \${$oc['descr']} from 192.168.0.0/16 to any label "Block private networks from {$oc['descr']} block 192.168/16" -block in $log quick on \${$oc['descr']} from fc00::/7 to any label "Block ULA networks from {$oc['descr']} block fc00::/7" +block in $privnetlog quick on \${$oc['descr']} from 10.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 10/8" +block in $privnetlog quick on \${$oc['descr']} from 127.0.0.0/8 to any label "Block private networks from {$oc['descr']} block 127/8" +block in $privnetlog quick on \${$oc['descr']} from 100.64.0.0/10 to any label "Block private networks from {$oc['descr']} block 100.64/10" +block in $privnetlog quick on \${$oc['descr']} from 172.16.0.0/12 to any label "Block private networks from {$oc['descr']} block 172.16/12" +block in $privnetlog quick on \${$oc['descr']} from 192.168.0.0/16 to any label "Block private networks from {$oc['descr']} block 192.168/16" +block in $privnetlog quick on \${$oc['descr']} from fc00::/7 to any label "Block ULA networks from {$oc['descr']} block fc00::/7" EOD; } diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 84139f8..07dd413 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -71,7 +71,7 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "http://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "9.6", + "latest_config" => "9.7", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", diff --git a/etc/inc/system.inc b/etc/inc/system.inc index 5f5e179..0a5fba5 100644 --- a/etc/inc/system.inc +++ b/etc/inc/system.inc @@ -963,6 +963,14 @@ function system_generate_lighty_config($filename, else $fast_cgi_path = "{$g['tmp_path']}/php-fastcgi.socket"; + if(!isset($config['syslog']['nologlighttpd'])) { + $lighty_use_syslog = <<<EOD +## where to send error-messages to +server.errorlog-use-syslog="enable" +EOD; + } + + $fastcgi_config = <<<EOD #### fastcgi module ## read fastcgi.txt for more info @@ -1011,8 +1019,7 @@ server.document-root = "{$document_root}" # Maximum idle time with nothing being written (php downloading) server.max-write-idle = 999 -## where to send error-messages to -server.errorlog-use-syslog="enable" +{$lighty_use_syslog} # files to check for if .../ is requested server.indexfiles = ( "index.php", "index.html", diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index fad204e..f7c5240 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -3111,4 +3111,12 @@ function upgrade_095_to_096() { enable_rrd_graphing(); } +function upgrade_096_to_097() { + global $config, $g; + /* If the user had disabled default block rule logging before, then bogon/private network logging was already off, so respect their choice. */ + if (isset($config['syslog']['nologdefaultblock'])) { + $config['syslog']['nologbogons'] = true; + $config['syslog']['nologprivatenets'] = true; + } +} ?> diff --git a/usr/local/www/diag_logs_settings.php b/usr/local/www/diag_logs_settings.php index 42cf79e..ee4fdd8 100755 --- a/usr/local/www/diag_logs_settings.php +++ b/usr/local/www/diag_logs_settings.php @@ -63,6 +63,9 @@ $pconfig['logall'] = isset($config['syslog']['logall']); $pconfig['system'] = isset($config['syslog']['system']); $pconfig['enable'] = isset($config['syslog']['enable']); $pconfig['logdefaultblock'] = !isset($config['syslog']['nologdefaultblock']); +$pconfig['logbogons'] = !isset($config['syslog']['nologbogons']); +$pconfig['logprivatenets'] = !isset($config['syslog']['nologprivatenets']); +$pconfig['loglighttpd'] = !isset($config['syslog']['nologlighttpd']); $pconfig['rawfilter'] = isset($config['syslog']['rawfilter']); $pconfig['filterdescriptions'] = $config['syslog']['filterdescriptions']; $pconfig['disablelocallogging'] = isset($config['syslog']['disablelocallogging']); @@ -115,7 +118,13 @@ if ($_POST) { $config['syslog']['disablelocallogging'] = $_POST['disablelocallogging'] ? true : false; $config['syslog']['enable'] = $_POST['enable'] ? true : false; $oldnologdefaultblock = isset($config['syslog']['nologdefaultblock']); + $oldnologbogons = isset($config['syslog']['nologbogons']); + $oldnologprivatenets = isset($config['syslog']['nologprivatenets']); + $oldnologlighttpd = isset($config['syslog']['nologlighttpd']); $config['syslog']['nologdefaultblock'] = $_POST['logdefaultblock'] ? false : true; + $config['syslog']['nologbogons'] = $_POST['logbogons'] ? false : true; + $config['syslog']['nologprivatenets'] = $_POST['logprivatenets'] ? false : true; + $config['syslog']['nologlighttpd'] = $_POST['loglighttpd'] ? false : true; $config['syslog']['rawfilter'] = $_POST['rawfilter'] ? true : false; if (is_numeric($_POST['filterdescriptions']) && $_POST['filterdescriptions'] > 0) $config['syslog']['filterdescriptions'] = $_POST['filterdescriptions']; @@ -131,12 +140,22 @@ if ($_POST) { $retval = 0; $retval = system_syslogd_start(); - if ($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) + if (($oldnologdefaultblock !== isset($config['syslog']['nologdefaultblock'])) + || ($oldnologbogons !== isset($config['syslog']['nologbogons'])) + || ($oldnologprivatenets !== isset($config['syslog']['nologprivatenets']))) $retval |= filter_configure(); - filter_pflog_start(true); - $savemsg = get_std_save_message($retval); + + if ($oldnologlighttpd !== isset($config['syslog']['nologlighttpd'])) { + ob_flush(); + flush(); + log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator.")); + send_event("service restart webgui"); + $savemsg .= "<br />" . gettext("WebGUI process is restarting."); + } + + filter_pflog_start(true); } } @@ -253,11 +272,23 @@ function check_everything() { </tr> <tr> <td valign="top" class="vtable">Log Firewall Default Blocks</td> - <td class="vtable"> <input name="logdefaultblock" type="checkbox" id="logdefaultblock" value="yes" <?php if ($pconfig['logdefaultblock']) echo "checked"; ?>> - <strong><?=gettext("Log packets blocked by the default rule");?></strong><br> - <?=gettext("Hint: packets that are blocked by the " . - "implicit default block rule will not be logged " . - "if you uncheck this option. Per-rule logging options are still respected.");?></td> + <td class="vtable"> + <input name="logdefaultblock" type="checkbox" id="logdefaultblock" value="yes" <?php if ($pconfig['logdefaultblock']) echo "checked"; ?>> + <strong><?=gettext("Log packets blocked by the default rule");?></strong><br/> + <?=gettext("Hint: packets that are blocked by the implicit default block rule will not be logged if you uncheck this option. Per-rule logging options are still respected.");?> + <br/> + <input name="logbogons" type="checkbox" id="logbogons" value="yes" <?php if ($pconfig['logbogons']) echo "checked"; ?>> + <strong><?=gettext("Log packets blocked by 'Block Bogon Networks' rules");?></strong><br/> + <br/> + <input name="logprivatenets" type="checkbox" id="logprivatenets" value="yes" <?php if ($pconfig['logprivatenets']) echo "checked"; ?>> + <strong><?=gettext("Log packets blocked by 'Block Private Networks' rules");?></strong><br/> + </td> + </tr> + <tr> + <td valign="top" class="vtable">Web Server Log</td> + <td class="vtable"> <input name="loglighttpd" type="checkbox" id="loglighttpd" value="yes" <?php if ($pconfig['loglighttpd']) echo "checked"; ?>> + <strong><?=gettext("Log errors from the web server process.");?></strong><br> + <?=gettext("Hint: If this is checked, errors from the lighttpd web server process for the GUI or Captive Portal will appear in the main system log.");?></td> </tr> <tr> <td valign="top" class="vtable">Raw Logs</td> |