as I am getting more and more into the IPFire I just have a small question about the firewall diagramm in the network tap as seen in the following picture:
Is the violet data (FORWARD) the summary of the complete hits on the FORWARD chain in the firewall (including REJECT_FORWARD/DROP_FORWARD) or just the actual forwarded packets through the whole chain (so just FORWARDFW)?!
I know its a very basic question and I suspect that it to be the complete hits (including rejects) but because I couldnt find a satisfying answer I wanted to ask directly
As the header says, this are the hits in the firewall ( drops/rejects ).
sorry for being a bit picky here, but for the sake of completeness, it has to be mentioned that IPFire 2.x currently rate-limits log messages in case of rejected or dropped packets to 10 per second per firewall category (snipped taken from the output of iptables -L -n -v):
Chain POLICYFWD (1 references)
pkts bytes target prot opt in out source destination
236 15504 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_FORWARD "
236 15504 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_FORWARD */
Depending on how much firewall hits you get per second, those numbers might not be tell the whole truth. This is because an attacker might induce a DoS to the local filesystem by sending many, many packets subsequently dropped/rejected and logged.
In IPFire 3.x, there will be a better solution to this problem. Unfortunately, we are by far not there yet.
no matter, I just thought about adding this circumstance, in case @imbio stats wondering himself why there is a delta between the amount of packets dropped on the interface and displayed in the firewall log CGI.