[Solved] Error in zone logging

Hi folks,

either I am misunderstanding the (default) logging of openwrt or there is a mistake in the logging ruleset that is being generated.

I have the following zone setup:

ZoneA => ZoneB 'ACCEPT' 'ACCEPT' 'REJECT'
I also have a couple of rules to allow ZoneA access to the Internet (80,443)

Now I enable 'Logging' on this zone and expected to log connections to the internet other than 80,443

But, this is not the case, as the generated logging rules (named 'REJECT ZoneA out') look like this:

0 0 LOG all * INERFACE_ZoneA 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* !fw3 */ LOG flags 0 level 4 prefix "REJECT ZoneA out"

It is working fine if you change it to

0 0 LOG all * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 /* !fw3 */ LOG flags 0 level 4 prefix "REJECT ZoneA out"

Am I seeing this wrong or is there an error in openwrt?!

Thanks in advance,
Mark

When you enable logging in a zone it will log the REJECT or DROP policies.
For Zone A you ACCEPT input and output, but REJECT forward. So it will log the forward attempts from ZONE A to ZONE A.
If you want to log the connections from ZoneA to the internet, then you need to make a rule to log whatever is going to be dropped, for example in the zone_wan_dest_REJECT.

Hi trendy,

thanks for your answer.
Did you mean Zone A to Zone B?

In the web interface it reads:
The options below control the forwarding policies between this zone (vlan10) and other zones.
Therefore I expected it to log forward (REJECT) from vlan10 to any other zone.

That logging rule in zone_wan_dest_REJECT has to be created by hand?!

Wouldn't it make more sense to log the way I described?
Don't get me wrong, I just don't see the benefit from the way it is right now.

No, the per zone forwarding applies to intra-zone forwarding, e.g in case you have multiple interfaces in one zone and you don't want to allow forwarding from one interface to the other.

This is inter-zone forwarding. It might work better to log the destination zone, instead of the source.

It is there already by default for all zones.

Maybe it is not working as expected, but if you provide the firewall configuration we can find a way to implement it.
uci export firewall; cat /etc/firewal.user

Thank you. That's probably what I missed so far :slight_smile:

I'm still not sure if my understanding might be the use case one would find more often out there, but that's ok.

I already have a logging rule in firewall.user:
iptables -I forwarding_lan_rule -p tcp -s 192.168.1.112 -m conntrack --ctstate NEW -j LOG --log-prefix "Evil> "
I just thought it might be nice to have it in general for a zone and to turn it on/off via web interface.

Thanks and greetings from Cologne

I am afraid that the builtin rules in Luci or UCI cannot cover all possible use cases, that's why there is the option to add your own custom commands.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.