Am I correct in thinking that within Luci with my complex firewall rules, that I cannot have just a single firewall rule log its firing? I have to either log everything or nothing?
I assume then, if I did it from the command line, such a thing is possible.
Such a requirement would be permanent and would be dire having to sift through many, many lines of log. If I am already denying some traffic, I do not need to be told about it.
Bib
Is this about fw3 or fw4? iptables or nftables?
fw4/nftables. Found how to do it from the cli. just not from within Luci.
Is your solution top secret or can you tell us?
You can add option log '1' in the /etc/config/firewall definition of a rule, redirect or nat.
I assumed everyone knew... Just add "log" to each rule...
I looked at the web page describing that file, and it did not suggest that was possible against each individual rule.
It might also be option log "some string" to specify a custom log message prefix instead of the autogenerated one
Thanks to @jow @bib1963 @dave14305 .
I'll test it and report back.
Yes, just adding option log '1' to a rule definition seems to work, but boy, is the firewall system a nightmare to configure. I've decided just to script it from entries read from a database. It just appears easier to update.
I tested it with several rules (OpenWrt 22.03.3) and it really works. Great! 
@bib1963 Would you consider marking this as the solution, please?
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.