In the standard fw3 Configuration only REJECTED packets can be logged.
The rules documented here can also be added to fw3 using the
/etc/firewall.user include file. See fw3_iptables_logging.
Before choosing to enable logging of REJECTED packets, please consider pros and cons:
Here is an example of the WAN zone:
config zone option name 'wan' ... option log '1' option log_limit '10/second'
Logging REJECTED packets on the WAN zone or a zone that is applied to one or more external facing interface may cause an increase in latency due to it requiring additional system resources on your router. i.e. processing power.
In these settings, INPUT and FORWARDED packets are logged when REJECTED and
written to system log with a limit of 5 messages per second. The
maps directly to the netfilter
limit match extension which states:
This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging.
In Firewall → General settings:
In Firewall Zones:
In order to understand the iptables rules generated by the above fw3 configuration, use the netfilter dumps in Netfilter Management.
... iptables -t filter -A zone_wan_src_REJECT -i eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: " ... iptables -t filter -A zone_wan_dest_REJECT -o eth1 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: " ...