Project

General

Profile

Actions
Copy link

Feature #12625

open

Granular logging options for default firewall rules.

Added by Marcos M over 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default

Description

Allow the user to control which default firewall rules get logged. Currently, there are checkboxes for:
  • default block
  • default pass
  • Block Bogon Networks
  • Block Private Networks
Instead, two lists can be added where the user can select what to log specifically - one list for pass and one list for block. An example of the allow list would include the following items (affected rules noted for each):
  • IPv6 ICMP
    # IPv6 ICMP is not auxiliary, it is required for operation
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
  • Captive Portal
    # Captive portal
  • PPTP Client
    # allow PPTP client
  • IPv6 Border Relay
    # allow our proto 41 traffic from the 6RD border relay in
# allow our proto 41 traffic from the 6to4 border relay in
  • Loopback
    # loopback
# Allow IPv6 on loopback
  • Firewall host outbound
    # let out anything from the firewall host itself and decrypted IPsec traffic
  • Anti-lockout
    # make sure the user cannot lock himself out of the webConfigurator or SSH
  • Bypass for static routes
    # Add rules to bypass firewall rules for static routes
  • Miniupnp
    # pass multicast traffic to miniupnpd
  • CARP
    # CARP rules
  • DHCP
    # Add Priority to dhcp6c packets if enabled
# allow our DHCP client out to the {$oc['descr']}
# allow our DHCPv6 client out to the {$oc['descr']}
# allow access to DHCP server on {$oc['descr']}
# allow access to DHCP failover on {$oc['descr']} from {$config['dhcpd'][$on]['failover_peerip']}
# allow access to DHCP relay on {$oc['descr']}
# allow access to DHCPv6 server on {$oc['descr']}

No data to display

Actions
Copy link

Also available in: Atom PDF