jow-
commented
5 years ago Cannot reproduce it on a recent master build.
Before:
root@jj:~# iptables-save | grep LOG
root@jj:~#After ticking the box in the wan zone and hitting Save & Apply:
root@jj:~# iptables-save | grep LOG
-A zone_wan_dest_REJECT -o eth0 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: "
-A zone_wan_dest_REJECT -o 6in4-wan6 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan out: "
-A zone_wan_src_REJECT -i eth0 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: "
-A zone_wan_src_REJECT -i 6in4-wan6 -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT wan in: "
root@jj:~#
The per firewall zone logging of rejected packets (see #1286) does not seem to be effective, there is neither output in "Status > System log" nor in logread on the console (tested with telnet attempts to port 25 of the openwrt box). Ticking the box "Enable logging on this zone" in luci via "Network > Firewall > Zone Settings > Advanced Settings" does not seem to cause any logging rules to be added to iptables by fw3, as "iptables -L | grep LOG" is empty and no corresponding entry is found in "Status > Firewall" either.