Your example is very usefull, but it intended for a rather special case for incoming traffic from any from WAN to my WAN TCP:22.
Moreover (if I understood you right), it involves 'accept and log' action, while I'm not interesting to allow (ACCEPT) any additional specific connections, but only to log already accepted connections regardless of it's origin.
On original Asus firmware all records - ACCEPTED, REJECTED and others - was logged by default and successfully was sended to Syslog-server. And I hoped, that there are a simple hidden options in OpenWRT to turn on ACCEPTED records to log.
Unfortunately, my experience is limited by LUCI use only. And I can't clear understand how to adapt your example for my needs =(
.
Yes-s, boss-s! Exactly!
This is the goal for which I'm here and that I describe in my first message: "What should I do to turn on logging ACCEPTED records too?"
=))
I.e. "What should I do" to change firewall's behavior "from "Accept" to "Accept and Log""
Hmm... mission impossible.. =(
.. for the following reasons:
The first RT-N14U with original Asus firmware is far away from me now.
The second RT-N14U I got as is with OpenWRT already flushed to it.
And the main. Sources... My skill is not deepper than web-gui utilising.
OK. About The Firewall:
Firewall - Zone Settings - General Settings
There are no log-related options
Firewall - Zone Settings - Zone "lan" - General Settings Input, Output, Forward - ACCEPT - Advanced Settings Enable logging on this zone - Turned On (checked) Limit log messages - Not filled (def. 10/minute)
It seems are just enough to get log records for ACCEPTED connections from any host from Lan, yeah?
No, that's not what I meant. I think you just want to skip the work needed - as @dl12345 suggested.
I mean the code in your router has to be changed. It's currently Accept/Reject/Drop...you have to add Accept-Log as i see no such thing; and you're the first person I've met that wants to logs accepted packets in this manner (I use Netflow to record traffic).
I hope this clears things up.
You may want to open a thread in the For Developers section if you're making a Feature Request.
I know, was kinda the point. I was hoping you were making the request easier for the "would be" developers.
I'm not sure why you think this is better idea than using what is already available in openwrt. The question is what do you gain from the added complexity of installing sth. that can actually export netflow on an openwrt device. That said I have been able to use ulogd for the purpouse but that again is additional software. I'm also trying to find an easy and non invasive way to add logging for all lan2wan packets but so far have not achieved the goal. So if someone wants to share a working config for that it would be very much appreciated. I will keep digging though...
I have to maintain the records; and the software doesn't log accepts. Further, the storage in OpenWrt is not persistent. Next, I monitor 3 border interfaces including WAN. In addition, for example, it would also be impossible to log a packet matching a RAW DROP rule.
What are you seeking a working config of (I'm guessing you didnt read the thread completely)?
EDIT: I also need to record REJECT/DROPped/RAW-DROP traffic at those borders.
Well then your use case doesn't work with the straight forward easy solution of using iptables - no need to propagate to others that netflow is the solution.
Yes I did and it ends with an open valid question. It is also not so clear from the documentation that the log option only works for REJECTS (at least to me).
You can easily forward syslog to any host. What I actually do. So then I receive the logs with filebeat syslog input and then use the iptables module and get out of the box beautiful options.. so yes I guess you are kind of missing the point.
Correct, that's more software too. From your wording, I thought you sought a solution without a second device involved, my mistake.
A log server versus a collector/display server (like nfSen) - same difference to me; but I understand your point. For just as much setup, you have more fine-grained Layer 3 data for IPv4 and IPv6 with netflow.
I'm not sure you do. My point was more software on the openwrt device. Syslog forwarding and iptables are in the base installation, well tested and pretty solid. Netflow is hole different story..
I will have a look at the implementation logic if none of the gurus say there is a strong reason for not logging the accept packets. Of course sth. like that would fill the logs fast locally but then this could be the same for reject..
There is no easy way, but if you really want it you can make a firewall script to add some lines:
for xxx in every zone you have -I zone_xxx_[scr|dest]_[ACCEPT|REJECT] -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "[ACCEPT|REJECT] xxx [in|out]: "
I was going to edit a post I made to @mdiehm - I missed the most important reason which is relevant to a normal use case (although, I don't see how multiple borders i.e. VPN, IPv6 doesn't equal 3) My desire to record is a simple personal use case...just like one recording the security camera footage at thier home's entrance.
Mainly: I can't record traffic based on RAW ACCEPT rules with iptables!
The raw table is mainly only used for one thing, and that is to set a mark on packets that they should not be handled by the connection tracking system. This is done by using the NOTRACK target on the packet. If a connection is hit with the NOTRACK target, then conntrack will simply not track the connection.