When you enable logging in a zone it will log the REJECT or DROP policies.
For Zone A you ACCEPT input and output, but REJECT forward. So it will log the forward attempts from ZONE A to ZONE A.
If you want to log the connections from ZoneA to the internet, then you need to make a rule to log whatever is going to be dropped, for example in the zone_wan_dest_REJECT.
thanks for your answer.
Did you mean Zone A to Zone B?
In the web interface it reads: The options below control the forwarding policies between this zone (vlan10) and other zones.
Therefore I expected it to log forward (REJECT) from vlan10 to any other zone.
That logging rule in zone_wan_dest_REJECT has to be created by hand?!
Wouldn't it make more sense to log the way I described?
Don't get me wrong, I just don't see the benefit from the way it is right now.
No, the per zone forwarding applies to intra-zone forwarding, e.g in case you have multiple interfaces in one zone and you don't want to allow forwarding from one interface to the other.
This is inter-zone forwarding. It might work better to log the destination zone, instead of the source.
It is there already by default for all zones.
Maybe it is not working as expected, but if you provide the firewall configuration we can find a way to implement it. uci export firewall; cat /etc/firewal.user
I'm still not sure if my understanding might be the use case one would find more often out there, but that's ok.
I already have a logging rule in firewall.user:
iptables -I forwarding_lan_rule -p tcp -s 192.168.1.112 -m conntrack --ctstate NEW -j LOG --log-prefix "Evil> "
I just thought it might be nice to have it in general for a zone and to turn it on/off via web interface.