Block rule logged as FORWARDFW

I have a drop rule for a single PC from green to red (internet). All attemps from this PC to the internet will logged in the firewall logs as “FORWARDFW”. Why? In my mind it should be logged as “DROP”.

The Linux firewall operates through a set of rules that inspect network packets to determine their fate. Generally, there are three primary actions: “Drop,” “Reject,” and “Accept.” If a packet doesn’t match a rule, it moves to the next one in the sequence. These rules are organized into chains, which are processed sequentially. Chains, in turn, are grouped into tables based on specific functions.

FORWARDFW is a chain, while drop is the action.

If you go in Firewall/iptables and in the first drop down menu you select and update the chain FORWARDFW you should see the rule, source, destination, target action, and the number of packets that have been inspected by that rule.


And why is the action not logged?

This is just my hypothesis, as I am not an expert at all. If the logging mechanism were designed to log the action for every rule, the logs could quickly become voluminous and cluttered, especially for the commonly used ACCEPT action.

1 Like