Logging single firewall rule

Am I correct in thinking that within Luci with my complex firewall rules, that I cannot have just a single firewall rule log its firing? I have to either log everything or nothing?

I assume then, if I did it from the command line, such a thing is possible.

Such a requirement would be permanent and would be dire having to sift through many, many lines of log. If I am already denying some traffic, I do not need to be told about it.


Is this about fw3 or fw4? iptables or nftables?

fw4/nftables. Found how to do it from the cli. just not from within Luci.

Is your solution top secret or can you tell us?

1 Like

You can add option log '1' in the /etc/config/firewall definition of a rule, redirect or nat.


I assumed everyone knew... Just add "log" to each rule...

I looked at the web page describing that file, and it did not suggest that was possible against each individual rule.

It might also be option log "some string" to specify a custom log message prefix instead of the autogenerated one


Thanks to @jow @bib1963 @dave14305 .

I'll test it and report back.

Yes, just adding option log '1' to a rule definition seems to work, but boy, is the firewall system a nightmare to configure. I've decided just to script it from entries read from a database. It just appears easier to update.

I tested it with several rules (OpenWrt 22.03.3) and it really works. Great! :slightly_smiling_face: