fw3 Logging Rejected Packets

In the standard fw3 Configuration only REJECTED packets can be logged.

The rules documented here can also be added to fw3 using the /etc/firewall.user include file. See fw3_iptables_logging.

Before choosing to enable logging of REJECTED packets, please consider pros and cons:

  • DROPPED packets are discarded, i.e. “trashed” without further notice. DROPPING packets does not require too much computing power, nor network bandwidth. This is also more resistent to DoS attacks, as no answer is sent.
  • In comparison, REJECTED packets require more computing power, as an answer is sent to client. Logging REJECTED packets also consume computing power. Logging may also display continuous messages on the serial port if you connect via serial console (not via SSH). You also need another device to log packets, as logging packets on the same device is not recommended.

Here is an example of the WAN zone:

config zone
    option name 'wan'
    option log '1'
    option log_limit '10/second'

Logging REJECTED packets on the WAN zone or a zone that is applied to one or more external facing interface may cause an increase in latency due to it requiring additional system resources on your router. i.e. processing power.

In these settings, INPUT and FORWARDED packets are logged when REJECTED and written to system log with a limit of 5 messages per second. The log_limit maps directly to the netfilter limit match extension which states:

This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging.

In Firewall → General settings:

  • Make sure that packets are not dropped, only rejected.
  • Case by case, select “reject” and not “drop”

In Firewall Zones:

  • → Advanced settings
  • Check [x] Enable logging on this zone
  • Fill in the Limit log messages value.

In order to understand the iptables rules generated by the above fw3 configuration, use the netfilter dumps in Netfilter Management.

Using fw3 -4

iptables -t filter -A zone_wan_src_REJECT -i eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: "
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: "
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2020/09/07 01:57
  • by jamesmacwhite