[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Don Munyak <don dot munyak at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] only log the first passed packet
 Date:  Wed, 15 Jun 2005 20:34:51 +0200 
On 15.06.05 14:23 -0400, Don Munyak wrote:

> 1.2b8 new feature...
> "only log the first passed packet, and not every packet in the same
> session"
> 
> Does this make it somewhat impossible to determine if an attack is
> underway ?

No. Blocked packets are still all logged of course, since they don't
create an entry in the state table. Starting with 1.2b8 however, for
each connection only the first *passed* packet that creates a state
table entry is logged, since the other packets that belong to the
same connection only fill the log with meaningless entries.

All this only makes a difference if you have one or more pass rules
with logging enabled anyway (since the default is to log only blocked
packets).

- Manuel