Hi all,
I have setup a couple of extra firewall zones on OpenWrt 19.07.8, and I enabled logging for them since I'd like too have an hint in case something odd is going on. The default reject-only logging behaviour is ok for me, but if I try and trigger a rejected connection I don't get any log (but the firewall does work and no connection is going through)...
Here my dmz zone as example:
There is one quality guaranteed option to test this logging function.
Turn it on for WAN. If nothing showed up then you are either behind a ISP firewall or something is wrong with the function.
Yes, but then we have the question if one ping wakes the log function. (Like from the Hunt for red October! “One ping and one ping only”, sorry it’s friday afternoon now)
And I am not quite sure what the 10/minute filter actually are supposed to do. Do you have to do 11 pings in one minute to get a output to the log?
Or does it writes 10 lines every minute?
When I have seen the WAN log there are no logic in that filter?
I had tested access to LuCI too, so didn't work with TCP either (the logging, the firwall is fine)... also the docs only talk about rejected packets regardless of their type.
Should be the latter... In iptables-extensions(8):
limit
This module matches at a limited rate using a token bucket filter. A rule using this extension will match until this limit is reached. It can be used in combination with the LOG target to give limited logging, for example.
But I'm also starting to suspect something else... since I'm running it inside a container, may this setup impacts the ability to log? Therefore I also checked the kernel logs on the host but there aren't any such messages logged... but for sure I see the log modules loaded fwiw:
Ok makes sense... i believe it must be related to the current setup. As i said in the first post the firewall is doing its job in rejecting the traffic which would otherwise pass through... I'll try to investigate and report back if I find something.
Now I don't know if this is the right zone to take into consideration but i can even see the live packets counter incrementing in LuCI as I keep pinging and getting rejected...
@vgaetera, I bet you are curious now, so... my doubts were right:
I will try to experiment with those workarounds (namely that echo 1 > /proc/sys/net/netfilter/nf_log_all_netns if possible to avoid fiddling with that ulog and change the rules by hand), but at least we have understood the root cause (which is not OpenWrt).
Sorry in case I wasted your time guys, I will edit the thread title to make this info more available for searches.
edit: yes this is working now with sysctl net.netfilter.nf_log_all_netns=1 on the host. Beware that this is now bypassing the default kernel behaviour meant to protect against log spam from network namespaces.