In the standard fw3 Configuration only REJECTED packets can be logged.
The rules documented here can also be added to fw3 using the
/etc/firewall.user include file. See fw3_iptables_logging.
Before choosing to enable logging of REJECTED packets, please consider pros and cons:
Here is an example of the WAN zone :
config zone option name 'wan' ... option log '1' option log_limit '10/second'
In these settings, INPUT and FORWARDED packets are logged when REJECTED and
written to system log with a limit of 5 messages per second. The
maps directly to the netfilter
limit match extension which states:
This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging, for example.
In Firewall → General settings:
In Firewall Zones:
In order to understand the iptables rules generated by the above fw3 configuration, use the netfilter dumps in Netfilter Management.
... iptables -t filter -A zone_wan_src_REJECT -i eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: " ... iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: " ...