Dear friends,
Is there an easy way to log dropped/rejected packets to syslog. I would like to set-up a central syslog server.
I looked for iptables logging within UCI, but apparently, it is not suported. I found some resources:
Using Debian, I used to log every incoming / outgoing or simply dropped packets in iptables.
is there an easy way to do it in LEDE?
Kind regards,
French Fries
all the iptables functionality is available in LEDE, although some of it may
require loading modules or recompiling.
It may not show up in the GUI, but you can put in the same iptables commands
that you use on your debian system.
iptables is versatile and fully supported in LEDE.
In LuCI, any Iptables argument can be customized in the field "extra argument".
However, what happens to dropped or rejected packets cannot be customized.
there is no default line (on bottom) explaining what happens to a dropped packet.
In France, there are now official guidance as regards firewalls and I don't think LEDE complies.
In official guidance, it is explained that each rejected packet should be logged separately.
A least, there should be some mark on each rule to allow logging.
It can be disabled by default, but should exist.
Really, what do you think of LuCI firewall?
xxxx removed by me.
Got it!
Let's take the example of the WAN zone.
If I want to log dropped incoming&dropped packets:
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option log '1'
option log_limit '5/second'
In LuCI firewall:
Reject packets
In firewall zone:
=>Advanced settings
Enable logging on this zone
And then fill limit value.
The log can be seen in system log.
You only need to send it to a remote syslog server.
About limit:
–limit
followed by a number; specifies the maximum average number of matches to allow per second. The number can specify units explicitly, using/second’,/minute’,/hour’ or/day’, or parts of them (so5/second’ is the same as5/s’).