On 19.01.2004, at 20:55, Brett J. Carpenter wrote:

> Thanks to all for replying,
> Your suggestion is good for the interim and I had considered doing 
> this but it
> seems that this might be a bug and I wanted to help make the system as 
> straight
> forward to operate as possible. I would agree that showing the default 
> block
> rule would be good for new users. However if a rule has logging off 
> and it is
> still logged this would seem to be counterintuitive.

You've got a point there. I changed the behavior for next release, 
here's the preliminary change log entry:

- renamed "Log blocked packets by default" option on System logs: 
Settings page to "Log packets blocked by the default rule" and changed 
its behavior: it only controls whether packets that got blocked by an 
automatically generated rule (usually the default-to-block rule in 
absence of a matching pass rule) are logged. Logging of packets that 
are blocked by user-defined block rules is now no longer affected and 
only controlled by the per-rule log option. Logging for pass rules 
remains unchanged.

For those who care - this means that we don't use "ipf -l block" 
anymore, but instead affix the "log" keyword to all automatically 
generated block rules if that option is set. Now all that's still 
bugging me about ipmon logging is that if you add "log" to a pass rule, 
then not even does the initial packet of a new connection that hits 
your rule get logged, but all further packets that hit the correponding 
state table entry as well, creating huge amounts of log entries. "ipmon 
-o I" doesn't seem to help either. Too bad.

Satisfied?

- Manuel