Logging rejected packets

In the standard firewall configuration only REJECTED packets can be logged.

The rules documented here can also be added to fw4 using the includes.

Before choosing to enable logging of REJECTED packets, please consider pros and cons:

  • DROPPED packets are discarded, i.e. “trashed” without further notice. DROPPING packets does not require too much computing power, nor network bandwidth. This is also more resistent to DoS attacks, as no answer is sent.
  • In comparison, REJECTED packets require more computing power, as an answer is sent to client. Logging REJECTED packets also consume computing power. Logging may also display continuous messages on the serial port if you connect via serial console (not via SSH). You also need another device to log packets, as logging packets on the same device is not recommended.

Here is an example of the WAN zone:

config zone
    option name 'wan'
    ...
    option log '1'
    option log_limit '10/second'

Logging REJECTED packets on the WAN zone or a zone that is applied to one or more external facing interface may cause an increase in latency due to it requiring additional system resources on your router. i.e. processing power.

In these settings, INPUT and FORWARDED packets are logged when REJECTED and written to system log with a limit of 5 messages per second. The log_limit maps directly to the netfilter limit match extension which states:

This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging.

In Firewall → General settings:

  • Make sure that packets are not dropped, only rejected.
  • Case by case, select “reject” and not “drop”

In Firewall Zones:

  • → Advanced settings
  • Check [x] Enable logging on this zone
  • Fill in the Limit log messages value.

Use the nftables dump to understand the rules generated by the above firewall configuration.

fw4 print
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/10/27 20:43
  • by vgaetera