On 3/18/19 5:05 PM, Christian Ebner wrote:
> Extends the documentation to mention the additional option to define a
> per-rule
> log level for user-defined rules.
>
> Signed-off-by: Christian Ebner <c.eb...@proxmox.com>
> ---
> pve-firewall.adoc | 43 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
>
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index acaca95..555e90e 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -404,6 +404,49 @@ If you want to see the generated iptables rules you can
> use:
>
> # iptables-save
>
> +Logging of firewall rules
> +-------------------------
> +
> +By default, logging of traffic filtered by the firewall rules is disabled. To
> +enable logging for the default firewall rules, the log-level for incommig and
> +outgoing traffic has to be set in the firewall `Options` tab for the host
> and/or
> +the VM/CT firewall.
> +Logging of dropped packets is rate limited to 1 packet per second in order to
> +reduce output to the log file.
with the bucket algorithm this is not the full truth, maybe a:
> After a initial burst of five packets logging of dropped packets is rate
> lim...
would be better? I can fix this up though.
> +Further, only some dropped or rejected packets are logged for the standard
> rules.
huh? maybe:
> Per default only the packets dropped or reject by {pve}'s implicit standard
> rules
> are logged.
Else, it sound like that only some of the standard rules lead to logging, and
if that'd
be true I'm really asking me if this is done out of spite to confuse users? :D
> +
> +In order to log packets filtered by user-defined firewall rules, it is
> possible
> +to set a log-level parameter for each rule individually.
> +This allows to log in a fine grained manner and independent of the log-level
> +defined for the standard rules.
> +In particular, each rule is logged independently from the log-level set for
> the
> +standard rules in the firewall `Options`.
the last two sentences have some redundancy? And IMO this still a bit confusing,
you have "in" and "out" rules, "log_level_in" and "log_level_out", but they are
not related to each other. Not 100% sure yet...
> +
> +The log level for the rule can also be set via the firewall configuration
> file by
> +appending a `-log <loglevel>` to the selected rule.
> +Here, `<loglevel>` is one of the following flags, attached to the log output:
> +`nolog, emerg, alert, crit, err, warning, notice, info, debug`
but the loglevel shows up as number in the log?
Some possibility for filtering could be nice here (as a separate addition to
this)
> +
> +For example:
> +
> +----
> +IN REJECT -p icmp -log nolog
> +----
> +
> +is the same as
> +
> +----
> +IN REJECT -p icmp
> +----
> +
> +whereas
> +
> +----
> +IN REJECT -p icmp -log debug
> +----
> +
> +produces a log output flagged with the `debug` level.
> +
>
> Tips and Tricks
> ---------------
>
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
