Exclude a rule from logging

Hello everyone,

I'm trying to figure out how to exclude a rule from logging. I activated logging for one of my internal zone, creating a dropping rule for a noisy broadcast device which shouts every 2 seconds...

I thought drop packets were not logged but they are... I tried to add to the rule in /etc/config/firewall the line "option log '0'" but it didn't change anything

Any ideas please ?

Log prepends rule: that emitted the line, show the log, ubus call system board and content of /etc/config/firewall hiding ip and mac numbers.

This is pretty simple, the log lines aren’t connected to your rule and are something else then.

How does the log lines look like?

The zone verdict logging doesn’t care about rule logging flags.

Maybe you need to insert the rule as a custom rule (outside of fw4 config) that does what you want without reaching the zone verdict chain. No idea what your rule does, though. More info needed.

Thank you for your replies. IPs have been changed to another private subnet.

Here is the drop rule in the log

[177189.350797] drop myZone in: IN=phy0-ap1 OUT= MAC=xxxx SRC=192.168.2.10 DST=192.168.2.255 LEN=75 TOS=0x00 PREC=0x00 TTL=255 ID=9092 PROTO=UDP SPT=64008 DPT=59387 LEN=55

The rule in /etc/config/firewall

config rule                            
        option name 'xxxx'
        list proto 'udp'                   
        option src 'myZone'                    
        list src_ip '192.168.2.10'    
        option src_port '64008' 
        list dest_ip '192.168.2.255'
        option dest_port '59387'   
        option target 'DROP'   
        option log '0'

Applying this rule makes the packet dropping instead of rejecting, so I think it's detected properly.

root@OpenWrt:/var/log# ubus call system board
{
        "kernel": "6.6.59",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "Bananapi BPI-R4",
        "board_name": "bananapi,bpi-r4",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "description": "OpenWrt SNAPSHOT",
                "revision": "r28019-685e979d47",
                "target": "mediatek/filogic",
                "builddate": "1730834581"
        }
}

My purpose is to keep the logs cleaned from spamming packets to easily find problematic filtering.

How can I add the rule as custom rule ?

Where did you enable log? It is absolutely disabled here.

Log is enabled on the zone. I want this specific rule NOT TO log, hence the option log '0'

Wonderful. Mind to share whole file?

Here it is

myZone in my previous post = dom

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src '*'
	option proto 'icmp'
	option family 'ipv4'
	option target 'ACCEPT'
	list icmp_type 'echo-request'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option log '1'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'guest - DHCP DNS'
	option src 'guest'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config zone
	option name 'dom'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'domo'
	option log '1'

config forwarding
	option src 'dom'
	option dest 'wan'

config rule
	option name 'domo - DHCP DNS NTP'
	option src 'dom'
	option dest_port '53 67 68 123'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'dom'

config zone
	option name 'mgt'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'mgt'

config forwarding
	option src 'mgt'
	option dest 'wan'

config zone
	option name 'krm'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'krm'
	option log '1'

config forwarding
	option src 'krm'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'krm'

config forwarding
	option src 'lan'
	option dest 'mgt'

config rule
	option name 'krm - DHCP DNS NTP'
	option src 'krm'
	option dest_port '53 67 68 123'
	option target 'ACCEPT'

config nat
	option name 'xxx'
	list proto 'udp'
	option src 'krm'
	option src_port 'xxx'
	option dest_ip '192.168.3.2'
	option dest_port 'xxx'
	option target 'ACCEPT'
	option device 'br-krm'
	option enabled '0'

config nat
	option name 'xxx'
	list proto 'tcp'
	option src 'krm'
	option src_port 'xxx'
	option dest_ip '192.168.3.2'
	option dest_port 'xxx'
	option target 'MASQUERADE'
	option device 'br-krm'
	option enabled '0'

config rule
	option name 'krm - xxx'
	list proto 'tcp'
	option src 'wan'
	option src_port 'xxx'
	option dest 'krm'
	list dest_ip '192.168.3.2'
	option dest_port 'xxx'
	option target 'ACCEPT'

config redirect
	option dest 'krm'
	option target 'DNAT'
	option name 'xxxx'
	list proto 'tcp'
	option src 'wan'
	option src_dport 'xxx'
	option dest_ip '192.168.3.2'
	option dest_port 'xxx'

config redirect
	option dest 'krm'
	option target 'DNAT'
	option name 'xxx'
	list proto 'udp'
	option src 'wan'
	option src_dport 'xxx'
	option dest_ip '192.168.3.3'
	option dest_port 'xxx'

config zone
	option name 'cam'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'cam'

config forwarding
	option src 'cam'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'cam'

config rule
	option name 'cam - DHCP DNS NTP'
	option src 'cam'
	option dest_port '53 67 68 123'
	option target 'ACCEPT'

config rule
	option name 'cam - FTP'
	list proto 'tcp'
	option src 'cam'
	list dest_ip '192.168.3.100'
	option dest_port '21'
	option target 'ACCEPT'
	option dest 'krm'

config rule
	option name 'domo - 1'
	list proto 'tcp'
	option src 'dom'
	list src_ip '192.168.2.10'
	option dest 'krm'
	list dest_ip '192.168.3.200'
	option dest_port '8123'
	option target 'ACCEPT'

config rule
	option name 'domo - 2'
	list proto 'udp'
	option src 'dom'
	list src_ip '192.168.2.10'
	option src_port '64008'
	list dest_ip '192.168.2.255'
	option dest_port '59387'
	option target 'DROP'
	option log '0'

config rule
	option name 'domo - 3'
	list proto 'udp'
	option src 'krm'
	list src_ip '192.168.3.200'
	option dest 'lan'
	list dest_ip '192.168.99.10'
	option dest_port '5353'
	option target 'ACCEPT'

config rule
	option name 'domo - 4'
	list proto 'tcp'
	option src 'krm'
	list src_ip '192.168.3.200'
	option dest 'dom'
	list dest_ip '192.168.2.14'
	option dest_port '5222 8088'
	option target 'ACCEPT'

https://openwrt.org/docs/guide-user/firewall/firewall_configuration#zones

remove log parameter for zone, it logs all fallthrough as documented.

Logging is by default 0/off so by setting a rule logging to off when it is already off doesn’t result in anything.
In practical terms you can only turn on logging, you can do it zone wide or zone rule specific.

maybe turn logging off for the zone
then add a rule to log everything on the zone and make sure you do it after your no log rule

Thank you for your suggestion, it works by adding at the end of the firewall a drop from my zone to any zone and adding the log option in the /etc/config/firewall ! (would be nice to have this option in Luci)

This configuration has the inconvenient to bypass the zone forwarding configuration, so I needed to add before the drop rule an accept rule for the forwarding previously configured for the zone. That's a shame because I liked the possibility to configure these forwarding on this screen, it was quite practical

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.