Hello *,
currently, the iptables configuration used in IPFire 2.x does not log _every_ packet if logging is enabled for whatever reason, but enforces a rate-limit:
iptables -A LOG_DROP -m limit --limit 10/minute -j LOG
(snip taken from /etc/init.d/firewall)
For several reasons, I consider this a bad idea. (Forgive me for bringing up firewall issues in IPFire 2.x again. :-) )
First, this rate-limit is never mentioned in the firewall WebUI or our documentation, thus being unintentional for most users including me.
Second, it makes debugging very hard - I recently spent several unpleasant days trying to fix a VoIP related network problem, until I got not every packet dropped by IPFire was actually logged. Especially for corner cases or non-deterministic issues, this behaviour makes this more difficult.
Third, it is not compliant. Especially when it comes to post mortem forensics, firewall logs are important. If you cannot trust them since there is no way of telling whether a packet was dropped and not logged, or never seen by the firewall machine, its best to stop logging anything at all.
I therefore propose to drop iptables logging rate-limit in our firewall configurations (which goes for IPFire 3.x as well). Since my systems to not run on problematic hardware (ARM SoCs with SD cards, crappy flash storage, etc.), I have no idea if this will cause issues on some systems/platforms.
@All: Thoughts, please. Is anyone aware of potential trouble?
If not, I will send in a patch within this week.
Thanks, and best regards, Peter Müller