33 lines
1 KiB
Text
33 lines
1 KiB
Text
# kernel log
|
|
chain log-reject {
|
|
# if called, the subsequent rules *must* include an absolute reject verdict
|
|
# this allows specifying a reject method on return
|
|
counter name "reject-total" comment "total packets rejected"
|
|
limit rate 5/minute burst 5 packets \
|
|
log prefix "[FW (REJECT)]: " level debug flags ip options
|
|
}
|
|
|
|
chain log-drop {
|
|
counter name "drop-total" comment "total packets dropped"
|
|
limit rate 5/minute burst 5 packets \
|
|
log prefix "[FW (DROP)]: " level debug flags ip options
|
|
drop comment "drop packet"
|
|
# end of rule traversal
|
|
}
|
|
|
|
# NFLOG userspace logging
|
|
chain nflog-reject {
|
|
# if called, the subsequent rules *must* include an absolute reject verdict
|
|
# this allows specifying a reject method on return
|
|
counter name "reject-total" comment "total packets rejected"
|
|
limit rate 5/minute burst 5 packets \
|
|
log prefix "[REJECT]: " group 1
|
|
}
|
|
|
|
chain nflog-drop {
|
|
counter name "drop-total" comment "total packets dropped"
|
|
limit rate 5/minute burst 5 packets \
|
|
log prefix "[ DROP ]: " group 1
|
|
drop comment "drop packet"
|
|
# end of rule traversal
|
|
}
|