On Tue, August 19, 2008 19:04, Kenneth Porter wrote:
--On Tuesday, August 19, 2008 10:15 AM -0500 David Dyer-Bennet dd-b@dd-b.net wrote:
That's the right general approach; duplicate the drop rule but with a LOG target and appropriate logging parameters.
Another approach is to create a subchain that just logs and drops (no match rules), and in your main chain you match on the desired packet and jump to the subchain. That eliminates the need to maintain the same match in two places, and reduces the number of rules a non-dropped packet has to pass through.
Or any arbitrary number of pairs of places, in fact; you can jump to that log-and-drop rule from a dozen different places if you have a dozen things you want logged-and-dropped. (It does mean you're not putting cause info into each log entry to use it that way, though; still, you can usually figure out from the packet why you dropped it.)
I've been known to put a log entry at the end of my chain, with suitable rate-limiting parameters, and actually log every spurious packet hitting my system. The rate-limiting parameters are important :-).