Proposal: Drop iptables logging rate-limit

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Proposal: Drop iptables logging rate-limit
Date: Sun, 14 Jul 2019 14:56:00 +0000	[thread overview]
Message-ID: <e86a3cba-8367-04ed-f9d3-1a0ca58515e9@ipfire.org> (raw)

[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]

Hello *,

currently, the iptables configuration used in IPFire 2.x does not
log _every_ packet if logging is enabled for whatever reason, but
enforces a rate-limit:

> iptables -A LOG_DROP   -m limit --limit 10/minute -j LOG
(snip taken from /etc/init.d/firewall)

For several reasons, I consider this a bad idea. (Forgive me for
bringing up firewall issues in IPFire 2.x again. :-) )

First, this rate-limit is never mentioned in the firewall WebUI
or our documentation, thus being unintentional for most users
including me.

Second, it makes debugging very hard - I recently spent several
unpleasant days trying to fix a VoIP related network problem,
until I got not every packet dropped by IPFire was actually logged.
Especially for corner cases or non-deterministic issues, this
behaviour makes this more difficult.

Third, it is not compliant. Especially when it comes to post
mortem forensics, firewall logs are important. If you cannot
trust them since there is no way of telling whether a packet
was dropped and not logged, or never seen by the firewall machine,
its best to stop logging anything at all.

I therefore propose to drop iptables logging rate-limit in our
firewall configurations (which goes for IPFire 3.x as well).
Since my systems to not run on problematic hardware (ARM SoCs
with SD cards, crappy flash storage, etc.), I have no idea if
this will cause issues on some systems/platforms.

@All: Thoughts, please. Is anyone aware of potential trouble?

If not, I will send in a patch within this week.

Thanks, and best regards,
Peter Müller
-- 
The road to Hades is easy to travel.
	-- Bion of Borysthenes

next             reply	other threads:[~2019-07-14 14:56 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-14 14:56 Peter Müller [this message]
2019-07-15 10:29 ` Michael Tremer
2019-07-18 18:23   ` Tim FitzGeorge
2019-07-29 20:00     ` [PATCH] firewall: raise log rate limit to 10 packets per second Peter Müller
2019-07-29 20:40       ` Horace Michael

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e86a3cba-8367-04ed-f9d3-1a0ca58515e9@ipfire.org \
    --to=peter.mueller@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox