User Tools

Site Tools


fw3 Logging Rejected Packets

In the standard fw3 Configuration only REJECTED packets can be logged.

The rules documented here can also be added to fw3 using the /etc/firewall.user include file. See fw3_iptables_logging.

Before choosing to enable logging of REJECTED packets, please consider pros and cons:

  • DROPPED packets are discarded, i.e. “trashed” without further notice. DROPPING packets does not require too much computing power, nor network bandwidth. This is also more resistent to DoS attacks, as no answer is sent.
  • On the converse, REJECTED packets require more computing power, as an answer is sent to client. Logging REJECTED packets also consume computing power. Logging may also display continuous messages on the serial port if you connect via serial console (not via SSH). You also need another device to log packets, as logging packets on the same device is not recommended.

Here is an example of the WAN zone :

  config zone
  option name 'wan'
  option log '1'
  option log_limit '10/second'

In these settings, INPUT and FORWARDED packets are logged when REJECTED and written to system log with a limit of 5 messages per second. The log_limit maps directly to the netfilter limit match extension which states:

 This module matches at a limited rate using a token bucket filter.  A rule
 using this extension will match until this limit is reached.  It can be used
 in combination with the LOG target to give limited  logging, for example.

Logging configuration in LuCI

In Firewall → General settings:

  • Make sure that packets are not dropped, only rejected.
  • Case by case, select “reject” and not “drop”

In Firewall Zones:

  • → Advanced settings
  • Check [x] Enable logging on this zone
  • Fill in the Limit log messages value.

fw3 generated iptables rules

In order to understand the iptables rules generated by the above fw3 configuration, use the netfilter dumps in Netfilter Management.

Using fw3 -4

iptables -t filter -A zone_wan_src_REJECT -i eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: "
iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: "
docs/guide-user/firewall/fw3_configurations/fw3_traffic_logging.txt · Last modified: 2018/09/16 12:49 by bobafetthotmail