On Feb 6, 2008 5:30 PM, Michel Servaes <michel at mcmc dot be> wrote:
> Since m0n0wall logs to much information, when setting the default rule
> to log activity to on, I was wondering if you guys mind sharing what
> ports would be interesting to monitor to the log ?
> Currently I have disabled logging on the default rule, and have added a
> rule to block ping requests... with the logging enabled.
> That way I have an idea who is pinging me... not important, but just a
> way to know which ip is pinging me...
People get hung up on looking at blocks in firewall logs, when they
aren't really worth much. Logging permitted traffic is typically more
important. Dropped traffic, by definition, can't harm you. The only
value in logging blocked traffic is to spot anomalies, any significant
increase or decrease from the norm for your particular network should
be investigated. I agree with Chris Bagnall's comments in most
environments, though not logging some traffic means you won't be able
to spot any variances in frequency. That may or may not be important
That's speaking strictly from a WAN rules perspective, for traffic
coming in from the Internet. You definitely want to log anything you
drop egress (aside from usual noise) because that's more commonly
indicative of a problem. For example, it could show a client PC
trying to connect to IRC, which would be indicative of a bot in most
corporate networks, or a PC port scanning or pounding away at SMTP,
all of which would be indicative of a compromised machine. You'll want
to tighten your egress rules as much as possible so you can see those
On WAN rules, it's more important to log passed traffic. Again to spot
frequency anomalies, and it also could help in investigating a
compromised host at some point in the future.