We’re splitting things up into very granular zones and only allowing specific traffic per service, there is no allow-all rules, the only allowed traffic by granular rules. This creates rather large firewall configurations so I wrote a python script to create the rules from some short hand I use when designing firewalls. It turns about 200 lines of shorthand into about 4600 lines of firewall commands (with a bunch of error checking), but more about that on another post…
Logging defaults to on and when I do simple speed tests on the firewall Systemjournald takes up most of the CPU time. Disabling firewall logging frees up about 70% of the otherwise consumed CPU time.
To conserve resources (CPU, syslog server and all downstream analysis) I was thinking about disabling logging for the establised/related and invalid packets. I already disable logging of packets from the LOCAL zone to the syslog server (log the logger, it’s just not practical! ).
Is this an acceptable standard for logging almost everything relevant or would missing the established/related and invalid data cause problems if analysis for something like a breach occurred?