Limit logging per source IP?



  • Is there a way to limit logging to one entry per x seconds per source IP per rule?
    Port scanners and ssh brute forcing attempt also fill up log files.
    By limiting to one entry per source IP, one would still obtain the most useful information about who attacks us, but not fill the log files with pointless repetitions, that make it difficult to spot important entries.


  • Rebel Alliance Developer Netgate

    No because they are all different in some way, pf doesn't have any mechanism to collapse them.

    It only logs the first packet of a connection when set to log, but for block rules a connection is never established, so every packet is blocked.

    If you send logs to a syslog server, whatever you have managing your logs there may be able to squash or summarize the entries in some way, but that's outside the scope of the firewall.



  • @jimp:

    No because they are all different in some way, pf doesn't have any mechanism to collapse them.

    It only logs the first packet of a connection when set to log, but for block rules a connection is never established, so every packet is blocked.

    But Isn't the "max src. conn. rate" something similar? It seems to be able to keep count on the number of connection attempts from a source, and this could presumably also be used for counting log entries. With iptables I would use the recent module to count how often a rule is hit (per source).
    The problem is that repeated log entries fill up what little space there is, for example in the Firewall Logs widget, and so more important lines quickly scroll off the screen.


  • Rebel Alliance Developer Netgate

    No, because that only applies to pass rules, which already only log the first entry.

    That sets a state/rate limit for connections passed by a rule. After that limit they are blocked (and logged…)



  • @jimp:

    No, because that only applies to pass rules, which already only log the first entry.

    That sets a state/rate limit for connections passed by a rule. After that limit they are blocked (and logged…)

    Subtle, but I see the point (I think).

    Making rules more complicated to limit logging is probably not advised, anyway.
    The task of limiting/filtering could equally well be done by the viewers.
    If the Log widget or Status/SystemLogs had a way to collapse adjacent similar entries in the listings that would be sufficient.