I may be a little late chiming in on this, but personally my rules use a 'BAD' chain. That chain ends with the LOG and DROP just like a normal appended chain. The difference is, I can explicitly deny things by sending them to -j BAD. I do the same with -j GOOD, and then run sanity checks against the packet -sending some stuff to BAD before it actually hits the ACCEPT. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Cedric Blancher Sent: Sunday, October 12, 2003 10:12 AM To: tedkaz@xxxxxxxxxxxxx Cc: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Re: Chain Policy DROP versus ACCEPT and logging Le dim 12/10/2003 à 16:00, Ted Kaczmarek a écrit : > Is their a way to log the default INPUT and FORWARD policies for dropped > packets with them set to DROP as opposed to having them set to ACCEPT > and putting in logs for any deny rules. Logging in Netfilter does not behave as it used to with ipchains. You cannot log and drop within the same rule. Suppose you want to log and drop all UDP traffic : iptables -A INPUT -p udp -j LOG --log-prefix "UDP dropped : " iptables -A INPUT -p udp -j DROP LOG is a target (non terminating one). This said, if you want to log packets that hit chain policy, then you have to put a logging rule at the very end of the chain : iptables -A INPUT -j LOG "INPUT chain policy drop : " And you're done. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
