On Tue, August 19, 2008 19:04, Kenneth Porter wrote:
> --On Tuesday, August 19, 2008 10:15 AM -0500 David Dyer-Bennet
> <dd-b@xxxxxxxx> wrote:
>
>> That's the right general approach; duplicate the drop rule but with a
>> LOG
>> target and appropriate logging parameters.
>
> Another approach is to create a subchain that just logs and drops (no
> match
> rules), and in your main chain you match on the desired packet and jump to
> the subchain. That eliminates the need to maintain the same match in two
> places, and reduces the number of rules a non-dropped packet has to pass
> through.
Or any arbitrary number of pairs of places, in fact; you can jump to that
log-and-drop rule from a dozen different places if you have a dozen things
you want logged-and-dropped. (It does mean you're not putting cause info
into each log entry to use it that way, though; still, you can usually
figure out from the packet why you dropped it.)
I've been known to put a log entry at the end of my chain, with suitable
rate-limiting parameters, and actually log every spurious packet hitting
my system. The rate-limiting parameters are important :-).
--
David Dyer-Bennet, dd-b@xxxxxxxx; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
