On Sun, 2003-10-12 at 10:00, Ted Kaczmarek wrote: > I have seen many setups where the default CHAIN Policy is to accept > packets by default versus dropping them. > >From my perspective a firewall should implicitly deny everything, hence > INPUT and FORWARD should be DROP. > Then rules are put in to allow what you want. > But, one seems to lose some logging capabilities with such a setup. > Is their a way to log the default INPUT and FORWARD policies for dropped > packets with them set to DROP as opposed to having them set to ACCEPT > and putting in logs for any deny rules. Yep, just make a log rule last in the chain... iptables -A FORWARD -j LOG --log-level 7 --log-prefix "FWDDROP:" for instance. Just remember that any rules added after this cannot simply be "-A", or they'll be appended after the log rule. They'll still work properly but the packets they accept would be logged as having been dropped. j
