Log packets that are handled by this rule

Olman

Hello everyone,

Something with the rule logging ( VER: Thu Mar 28 00:48:46 EDT 2013 )

I set a very last rule with "block any" and log enabled …. I do see in "firewall" log section traffic blocked, during to set TCP connection, it fail.
Next step I reverse the rule make it "PASS" and I do NOT see traffic logged by this rule in log section, during the same TCP connection attempts with success ( assuming it should appear as a green sign as opposed to blocked traffic with the red sign) I only see "green" as a broadcast 0:0:0:0 traffic

Do I understand it correctly: this is a bug ?

cmb

Almost certainly not a bug, rule logging works fine and hasn't changed in ages, it's matching some other rule I suspect. Check /tmp/rules.debug for log in the corresponding rule.

Olman

Can you please give me more extended advise to debug it,

I did try the same on 1.2.3 version and indeed the behavior is different. 1.2.3 shows ALL traffic blocked or passed:

rule set as Passed:
rule 65/0(match): pass in on em2: (tos 0x0, ttl 127, id 19189, offset 0, flags [+], proto UDP (17), length 1500) 10.2.2.5.500 > 10.5.3.10.500: isakmp 1.0 msgid : phase 1 ? ident:

same rule set as Blocked:
rule 65/0(match): block in on em2: (tos 0x0, ttl 127, id 19627, offset 0, flags [+], proto UDP (17), length 1500) 10.2.2.5.500 > 10.5.3.10.500: isakmp 1.0 msgid : phase 1 ? ident:

I DO NOT see the same behavior on 2.1

cmb

1.2.3 and 2.1 are no different in this regard. New connections that match a rule with logging enabled are logged.