On Tue, August 19, 2008 19:04, Kenneth Porter wrote: > --On Tuesday, August 19, 2008 10:15 AM -0500 David Dyer-Bennet > <dd-b at dd-b.net> wrote: > >> That's the right general approach; duplicate the drop rule but with a >> LOG >> target and appropriate logging parameters. > > Another approach is to create a subchain that just logs and drops (no > match > rules), and in your main chain you match on the desired packet and jump to > the subchain. That eliminates the need to maintain the same match in two > places, and reduces the number of rules a non-dropped packet has to pass > through. Or any arbitrary number of pairs of places, in fact; you can jump to that log-and-drop rule from a dozen different places if you have a dozen things you want logged-and-dropped. (It does mean you're not putting cause info into each log entry to use it that way, though; still, you can usually figure out from the packet why you dropped it.) I've been known to put a log entry at the end of my chain, with suitable rate-limiting parameters, and actually log every spurious packet hitting my system. The rate-limiting parameters are important :-). -- David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info