[ previous ] [ next ] [ threads ]
 
 From:  "Martin Holst" <mail at martinh dot dk>
 To:  <m0n0wall at lists dot m0n0 dot ch>, "'Don Munyak'" <don dot munyak at gmail dot com>, <mk at neon1 dot net>
 Subject:  Re: only log the first passed packet
 Date:  Thu, 16 Jun 2005 07:44:18 +0200 
Hi Manuel!

The feature has an unfortunate side-effect for me.
I have used "Pass" rules to log all traffic on my LAN - and used it for
IP-accounting with Wallwatcher.
So basically the new feature "breaks" my traffic accounting, since only the
first packet in a stream of "approved" traffic is logged.

Would it be possible to make the logging feature optional in the next
version?

/Martin 


On 15.06.05 14:23 -0400, Don Munyak wrote:

> 1.2b8 new feature...
> "only log the first passed packet, and not every packet in the same
> session"
> 
> Does this make it somewhat impossible to determine if an attack is
> underway ?

No. Blocked packets are still all logged of course, since they don't
create an entry in the state table. Starting with 1.2b8 however, for
each connection only the first *passed* packet that creates a state
table entry is logged, since the other packets that belong to the
same connection only fill the log with meaningless entries.

All this only makes a difference if you have one or more pass rules
with logging enabled anyway (since the default is to log only blocked
packets).

- Manuel