syslog: Listen to network and block access from anywhere but localhost

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-28 11:43:25 +02:00 · 2018-11-07 12:29:19 +00:00
parent 6104f2e816
commit 9f60aa9679
2 changed files with 13 additions and 1 deletions
--- a/config/firewall/firewall-policy
+++ b/config/firewall/firewall-policy
@@ -57,6 +57,18 @@ HAVE_OPENVPN="true"

 # INPUT

+# Drop syslog from anywhere but localhost
+# sysklogd cannot bind to specific interface and therefore we need to
+# block access by adding firewall rules
+case "${FWPOLICY}" in
+	REJECT)
+		iptables -A POLICYIN -p udp --dport 514 -j REJECT --reject-with icmp-host-unreachable
+		;;
+	*)
+		iptables -A POLICYIN -p udp --dport 514 -j DROP
+		;;
+esac
+
 # Allow access from GREEN
 if [ -n "${GREEN_DEV}" ]; then
 	iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT