Adding a “Rule Name” and also “Rule Number” to the log - HowTo & Proposal:
It has been a while since, and I’m still wondering how you get through your ipfire logs, without a rule name or even having the rule number in the log.
Being not so routinized in reading the logs, I often have to search for the fw-rule which is being hit.
I have enhanced therefore the idea from april 23 a little bit and inserted in rules.pl the following:
This will form a String with the type of the rule target (BLOCK, ALLOW or REJECT), with the actual rule number and the first 5 chars of the rule description.
So it’s possible, to use this additional $ruleinfo in the iptables --logprefix
e.g.:
In theory yes, but the ID of the rule is not the same as the shown number. If you delete a rule in the middle, the numbers of the rules after the deleted rule will change.
And so there would even be some inconsistency in the logs. I like the idea, but I don’t think the numbers would be fool-proof.
i think instead we could use unique rule name which can be entered by the user or/and uuid, but log-prefix of iptables is limited to 29 char or something
Thanks Michael for reply - yes, you‘re absolutely right, the number (counting order) is not „persistant“ (if the order of the fw-rules change).
Perhaps you have better ideas for such an achievement - if the rules not changing too often, it‘s nevertheless quite handy. Also with adding the first few chars of the comment - i made some systematic for VOIP, CLOUD etc - it‘s easier to read the logs, what kind of rule gets hit.
Can you leverage firewall comments -m comment --comment "some comment here"? They don’t get logged, so I am not sure it would help but you get up to 256 characters to play with.
Thanks Nick - for me it‘s totally fine to have the (actual) order number and the first 5 chars from the comment of the rule in the logging… nothing more needed.
I think @ezyz just thought further about using GUIDs in logging which would be much longer and therefore exceed the —logprefix of iptables.
I just made the proposal/idea to implement something by default, „some better way“ to recognize the hitted rules in log.
(Since I‘m just randomly looking into the logs, I‘m not so used to the rules etc. and it‘s sometimes difficult to get the root cause of blockings - therefore the patch)