Please, add an option for dropping logging of drop hostile for incoming. Firewall logs contain 10-20k incoming packets that are dropped by the Firewall, and there is no way for me to analyze 10-20k entries per day. I am concerned that it is causing too much wear on the storage. Once the storage fails, firewall will be disabled. Unchecking Logging Dropped input packets (FW Options) DOESN’T suppress drop hostile. Attached screenshots of log and Firewall options. There is also a Discussion https://community.ipfire.org/t/excessive-logging/8868
Created attachment 1118 [details] Incoming Drop Hostile entries fill up lof
Created attachment 1119 [details] After enabling IPBlocklist, incoming CIarmy entries fill up log
Created attachment 1120 [details] Logging Dropped input packets (FW Options) is disabled
I see there is a 10/sec limit on logging of HOSTILE_DROP as well as CIARMY_DROP tables. Could I modify the limit for example 10/hour limit **Chain HOSTILE_DROP** (0 references) target prot opt in out source destination LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_HOSTILE " DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_HOSTILE */
Created attachment 1432 [details] screenshot of modified optionsfw.cgi This patch set modifies the optionsfw.cgi as shown in the attachment. Patch submitted to dev mailing list and patchwork. https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/CBYSUC7LU3TCFO5S4MAOUFIPJ5VYCKBQ/ https://patchwork.ipfire.org/project/ipfire/list/?series=4068
v2 version of patch set created based on discussion in January IPFire Video Call https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/3DII55VJ3MDHD47G7F7UKSEGDL6IIVPJ/ https://patchwork.ipfire.org/project/ipfire/list/?series=4089
Based on discussion in the forum it makes sense to be able to have the option to log drop-hostile traffic for outgoing while not logging the drop-hostile for incoming. https://community.ipfire.org/t/less-noise-in-the-firewall-logs/10930 Based on this I will put together a v3 version of my patch submission to have two Log drop-hostile options, one for incoming and one for outgoing traffic so the logging can be separately controlled.
v3 version of patch set submitted https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/thread/QEIK6EAJ564E52AF2QC4ZDRCRPVITW4C/ https://patchwork.ipfire.org/project/ipfire/list/?series=4113
Additional patches provided by @michael and @adolf https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=7c9a6cf1631cd68970762cbb61056618f6de4c2e https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=3dfc7489461d52321bf6cb6a342b15416fd362bb https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=08c20b8457ec8c8fe24dda561b8d28a6f6b584a3 https://patchwork.ipfire.org/project/ipfire/patch/20240211131948.6202-1-adolf.belka@ipfire.org/ https://patchwork.ipfire.org/project/ipfire/patch/20240214103436.2878-1-adolf.belka@ipfire.org/
The last two patches from the list in comment 9 have been merged. https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=dd24668627fd9ee1c8ef912840904a556e5a690b https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=2071b2964fed10cbcf62bd2d7da3b7e718f8a88f All patches have now been built in the latest nightly build so a fresh test of Core Update 184 Testing should all work now as intended.
Tested out an update to the latest nightly build version of CU184 Testing with all the patches mentioned in the earlier comments. The graph is now working fine. Logging options now exist for Drop Hostile Incoming and Drop Hostile Outgoing independently.
Fix has been released with Core Update 184 https://www.ipfire.org/blog/ipfire-2-29-core-update-184-released