I’m migrating my firewall to the new format.
Is there anyway to get logging enabled for the default-action on input/forward/output chains?
I have a default-action drop, and then have jump rules to custom chains to handle accepts. But when troubleshooting what I expect to be an open connection, but it’s blocked, it would be helpful to see the logs and see what it is blocking with the details.
I can enable-default-log on my custom chains, but those are mostly accepts. My drop is at the “native” chain and that’s what I need to log.
Yeah. During firewall re writing, defaullt-action in base chains (input/forward/output) was moved to actually use
policy [drop|accept] while defining the chain, rather than adding a custom rule at the end of the chain.
We may need to revert this in order to be able to log when default action is hit.
Should be possible to just add custom policy “drop-log” and “accept-log” which would do this like adding a last rule of logging and then the default action becomes drop/accept.
this is a good suggestion
Where does the logs show up locally and remote?
Just “show log firewall” and by default dumped to remote server if syslog is enabled?
Didn’t check it, but firewall logs are generated by kernel.
Then in syslog you can choose facility and log levels for remote syslog:
vyos@default-log# set system syslog host x.x.x.x facility
> all All facilities excluding "mark"
> auth Authentication and authorization
> authpriv Non-system authorization
> cron Cron daemon
> daemon System daemons
> kern Kernel
> lpr Line printer spooler
> mail Mail subsystem
> mark Timestamp
> news USENET subsystem
> syslog Authentication and authorization
> user Application processes
> uucp UUCP subsystem
> local0 Local facility 0
> local1 Local facility 1
> local2 Local facility 2
> local3 Local facility 3
> local4 Local facility 4
> local5 Local facility 5
> local6 Local facility 6
> local7 Local facility 7
vyos@default-log# set system syslog host x.x.x.x facility kern level
emerg Emergency messages
alert Urgent messages
crit Critical messages
err Error messages (default)
warning Warning messages
notice Messages for further investigation
info Informational messages
debug Debug messages
all Log everything
Then, you can choose log level in firewall rules:
vyos@default-log# set firewall ipv4 forward filter rule 10 log-options level
emerg Emerg log level
alert Alert log level
crit Critical log level
err Error log level
warn Warning log level
notice Notice log level
info Info log level
debug Debug log level
And yeah, log for default action so far has no options for log level
Good to know that one can have the printer connected to the VyOS box being logged
> lpr Line printer spooler