I generally want to log drops and rejects in a zone, so that I can audit the need for potential new rules.
But there can also be a lot of noise in a zone, specifically broadcast traffic that really does not need or want logging.
Is there any way to enable logging for a zone to have this audit but then to disable it in rules defined to simply not log all of the noisy broadcast traffic?
Referring to Logging single firewall rule - #11 by Barney I tried to add an option log '0' to such rules:
config rule
option name 'Dont-LOG-Misc-Broadcast'
option target 'DROP'
option src 'lan'
option family 'ipv4'
option log '0'
list proto 'all'
list dest_ip '10.75.22.255'
config rule
option name 'Dont-LOG-Misc-Broadcast-2'
option target 'DROP'
option src 'lan'
option family 'ipv4'
option log '0'
list proto 'all'
list dest_ip '255.255.255.255'
(yes, I know those rules could be combined, but I separated them for debugging purposes) but that doesn't seem to work. I guess per-rule logging can only be enabled, but not disabled?
Is there any way to leverage option log '1' to log only drops/rejects for a zone as a last-chance rule and simply disable the zone-specific Enable logging on this zone so that I have more control over what gets logged and what I can suppress from logging?