The feature has an unfortunate side-effect for me.
I have used "Pass" rules to log all traffic on my LAN - and used it for
IP-accounting with Wallwatcher.
So basically the new feature "breaks" my traffic accounting, since only the
first packet in a stream of "approved" traffic is logged.
Would it be possible to make the logging feature optional in the next
On 15.06.05 14:23 -0400, Don Munyak wrote:
> 1.2b8 new feature...
> "only log the first passed packet, and not every packet in the same
> Does this make it somewhat impossible to determine if an attack is
> underway ?
No. Blocked packets are still all logged of course, since they don't
create an entry in the state table. Starting with 1.2b8 however, for
each connection only the first *passed* packet that creates a state
table entry is logged, since the other packets that belong to the
same connection only fill the log with meaningless entries.
All this only makes a difference if you have one or more pass rules
with logging enabled anyway (since the default is to log only blocked