You can't.. NFT logs is done on the system level which means it logs it to the syslog.
The firewall log is actually parsed/filtered data from the syslog.
2 Likes
I got around this problem by installing syslog-ng and modifying /etc/syslog-ng.conf to filter banip and firewall logging, which I enabled so I can still keep tabs on things in real time by watching the kernel log via serial console (alternatively via SSH by using cat /proc/kmsg instead of logread -f).
Here's a few excerpts from my /etc/syslog-ng.conf file:
filter banip {
not match("banIP")
};
filter firewall_lan_fwd {
not match("reject lan forward")
};
filter firewall_lan2_fwd {
not match("reject lan2 forward")
};
filter firewall_wan_drp {
not match("drop wan invalid")
};
filter firewall_wan_in {
not match("reject wan in")
};
filter firewall_wan_fwd {
not match("reject wan forward")
};
log {
source(src);
source(net);
source(kernel);
source(s_network);
filter(banip);
filter(collectd);
filter(firewall_lan_fwd);
filter(firewall_lan2_fwd);
filter(firewall_wan_drp);
filter(firewall_wan_in);
filter(firewall_wan_fwd);
filter(openvpn_fail);
filter(openvpn_info);
destination(messages);
};
Make sure to also install logrotate and set up a cronjob or else the log will just keep growing infinitely until it exhausts RAM. I do this daily at 1 am:
0 1 * * * /usr/sbin/logrotate /etc/logrotate.conf >/dev/null 2>&1
To demonstrate, here's what my logs now look like.
Syslog:
Kernel log:
Hope this somewhat helps.
3 Likes
These questions are probably better suited to a syslog-ng specific thread, rather than a banIP thread. You might want to visit this link for more detail: https://syslog-ng.github.io
Suggestion add https://github.com/EnergizedProtection/block
Remove https://github.com/AdroitAdorKhan/antipopads-re
Not sure that I should report it here but myip list no longer works because of certificate problem. Certificate was issued on 17th of March and browser (FF 136.0.1) can download it, but wget (both from OpenWrt and 'real' one from Debian 12) fails because of certificate problem.
Tue Mar 18 07:55:22 2025 user.info banIP-1.5.3-r3[14599]: start banIP processing (reload, 1.5.3-r3)
Tue Mar 18 07:55:22 2025 user.info banIP-1.5.3-r3[14599]: start banIP download processes
Tue Mar 18 07:55:29 2025 user.info banIP-1.5.3-r3[14599]: download for feed 'myip.v4' failed, rc: 4
Tue Mar 18 07:55:29 2025 user.info banIP-1.5.3-r3[14599]: download for feed 'myip.v6' failed, rc: 4
Tue Mar 18 07:55:35 2025 user.info banIP-1.5.3-r3[14599]: start banIP domain lookup
Tue Mar 18 07:55:35 2025 user.info banIP-1.5.3-r3[14599]: finish banIP processing
Tue Mar 18 07:55:35 2025 user.info banIP-1.5.3-r3[14599]: start detached banIP log service (/sbin/logread)
Hi:
What is the difference between selecting the same feed in 'Feed/Set Settings' and 'Feed Selection'?
If I select some feed in 'Inbound Feed',
it 'Override the default feed configuration and apply the feed to the inbound chain only.'
So 'Feed Selection' feeds selection will be applied to inbound and outbound?
But there is a 'Inbound & Outbound Feed' config, so I'm a little confused.
Under the Feed Selection tab you enable/disable feeds with their default chain configuration (see the feed table in the readme for all defaults). If you want to change the defaults for a certain feed, than enter the Feed/set Settings tab.
Please report it upstream to the site admin, as a workaround you can enable "Download insecure"