Hi, I was just wondering...
I've set up a remote syslog server - monitoring LAN activity (ipmon). I did
this by setting up a single pass-all rule as the last/default rule on the
LAN interface and I'm logging firewall events to the syslog server.
Next i set up a client on the Captive portal interface (LAN). I then try to
open a default webpage and i get a PASS event on the remote syslog server -
before the client is authenticated.
I suspect this behaviour to be a result of the captive portal rules being
applied after the LAN rules. However I'd like to get rid of firewall events
that did'nt really happen. Can this be done?
Also i have a more or less related question: Any chance to log an event when
a NAT table/firewall state entry is timed out. It would be great to be able
to meassure the number of octets sent/recieved between specific IP's.