Bug 11316

Summary: Enhancement: Logging should distinguish action DROP/ ACCEPT
Product: IPFire Reporter: ipf-tom
Component: ---Assignee: Assigned to nobody - feel free to grab it and work on it <nobody>
Status: NEW --- QA Contact:
Severity: Balancing    
Priority: Will affect most users CC: alexander.marx, peter.mueller
Version: 2Keywords: NewFeature
Hardware: all   
OS: All   
Bug Depends on:    
Bug Blocks: 12278    

Description ipf-tom 2017-04-13 16:58:54 UTC 
When adding a firewall rule with actopm "DROP" and logging active, it is translated into a iptables rule like:
LOG  all  --  my.orange.ip.net/24 0.0.0.0/0 limit: ... prefix "FORWARDFW "
DROP all  --  my.orange.ip.net/24 0.0.0.0/0

The log entry shown in the web interface does show the chain "FORWARDFW", but there is no indication, that the packet has been dropped. Of course I could know about my rules, but who do allways remember, what he configured a month ago?

It would be useful to add the action to the log also. For example:
LOG  all  --  my.orange.ip.net/24 0.0.0.0/0 limit: ... prefix "FORWARDFW:DROP "
Comment 1 Peter Müller 2018-02-06 20:57:26 UTC 
Hm, this seems to be an aesthetic issue, isn't it?
Comment 2 ipf-tom 2018-02-07 10:58:17 UTC 
(In reply to Peter Müller from comment #1)
> Hm, this seems to be an aesthetic issue, isn't it?

No, it isn't a aesthetic issue only.

While watching /var/log/messages I did see some FORWARDFW log entries for a request, which should be dropped. So I got frightened and started to analyse the iptables. After a while I've realized, that the log entry was a DROP.

-> The log entries are misleading and did cause scare and work.

And because the firewall rules are not versioned, you cannot analyze a firewall log from the past. You do dont know whether the packet has been forwarded if you do not know the rules for this specific time. It would be a big improvement for tracability if the log would document the action taken.

So IMHO it is a small change with a big win. Even for small environments like at home.