Firewall logging - Best Practice


  • Banned

    Hi everybody!

    I'm interested in the general policy you practice on logging in firewall rules. What should be in the log in every case? What is never important at all?

    • Broadcast (from promisc. iinterfaces due to snort?) is of limited interest, right?
    • Do I really want to see who is knocking on some port of my WAN interface?
    • Enable logging for the pass rules to see which IPs are visited by certain clients?

    What's your policy on these and other firewall log issues?

    Kind regards

    chemlud



  • I keep logs as quiet as possible. Only important stuff should be showing up.

    Though, this is after I assure all of my rules are blocking/passing the proper traffic. Like the logging of incoming WAN denies… once I know it is working, that rule is silenced.


  • LAYER 8 Global Moderator

    "- Do I really want to see who is knocking on some port of my WAN interface?"

    While it might not be of interest if its here and there a few of them.. But you sure might be interested if with say 1000 a second sort of thing.


Log in to reply