Enable-default-log on input/forward/output chains

General questions
1

I’m migrating my firewall to the new format.

Is there anyway to get logging enabled for the default-action on input/forward/output chains?

I have a default-action drop, and then have jump rules to custom chains to handle accepts. But when troubleshooting what I expect to be an open connection, but it’s blocked, it would be helpful to see the logs and see what it is blocking with the details.

I can enable-default-log on my custom chains, but those are mostly accepts. My drop is at the “native” chain and that’s what I need to log.

2

Yeah. During firewall re writing, defaullt-action in base chains (input/forward/output) was moved to actually use policy [drop|accept] while defining the chain, rather than adding a custom rule at the end of the chain.
We may need to revert this in order to be able to log when default action is hit.

3

Should be possible to just add custom policy “drop-log” and “accept-log” which would do this like adding a last rule of logging and then the default action becomes drop/accept.

1 Like
4

this is a good suggestion

5

Task: ⚓ T5637 Firewall default-action log
PR: T5637: add new rule at the end of base chains for default-actions and log capabilities by nicolas-fort · Pull Request #2344 · vyos/vyos-1x · GitHub

6

Where does the logs show up locally and remote?

Just “show log firewall” and by default dumped to remote server if syslog is enabled?

7

Didn’t check it, but firewall logs are generated by kernel.
Then in syslog you can choose facility and log levels for remote syslog:

vyos@default-log# set system syslog host x.x.x.x facility 
Possible completions:
 > all                  All facilities excluding "mark"
 > auth                 Authentication and authorization
 > authpriv             Non-system authorization
 > cron                 Cron daemon
 > daemon               System daemons
 > kern                 Kernel
 > lpr                  Line printer spooler
 > mail                 Mail subsystem
 > mark                 Timestamp
 > news                 USENET subsystem
 > syslog               Authentication and authorization
 > user                 Application processes
 > uucp                 UUCP subsystem
 > local0               Local facility 0
 > local1               Local facility 1
 > local2               Local facility 2
 > local3               Local facility 3
 > local4               Local facility 4
 > local5               Local facility 5
 > local6               Local facility 6
 > local7               Local facility 7
 >                      
     
[edit]
vyos@default-log# set system syslog host x.x.x.x facility kern level 
Possible completions:
   emerg                Emergency messages
   alert                Urgent messages
   crit                 Critical messages
   err                  Error messages (default)
   warning              Warning messages
   notice               Messages for further investigation
   info                 Informational messages
   debug                Debug messages
   all                  Log everything
                        
      
[edit]
vyos@default-log#

Then, you can choose log level in firewall rules:

vyos@default-log# set firewall ipv4 forward filter rule 10 log-options level 
Possible completions:
   emerg                Emerg log level
   alert                Alert log level
   crit                 Critical log level
   err                  Error log level
   warn                 Warning log level
   notice               Notice log level
   info                 Info log level
   debug                Debug log level
                        
[edit]
vyos@default-log#

And yeah, log for default action so far has no options for log level

8

Good to know that one can have the printer connected to the VyOS box being logged :wink:

 > lpr                  Line printer spooler
1 Like