Simulating Drop Rules with Logging to Prevent Production Disruptions

Hi,

I am planning to enable a “drop everything that is not allowed” rule on the router for the server list. However, the servers are in production, and I don’t want to end up in a situation where I forgot something and then have to deal with why something isn’t working for the clients ad-hoc…

So, I would like to first collect data for a few weeks on what connections would be dropped if the rule were already active, without actually blocking anything.

Adding logging to the drop rule is obviously not a solution.
Placing an action=log rule with the server list after all the accept rules would log even the allowed connections, which isn’t helpful. I would then have to filter the logs, and that would likely drive me crazy.

So, I need some kind of “fake drop” rule that will only log.

Thanks.

I’m a beginner with MT so take this for what its worth… Note that I have MT sending firewall logs to a remote syslog server.

Why not create the rule just like you intend to, but instead of action=drop have action=log? And you can set a log prefix so you can grep out only those log entries. You can set up remote syslog if you want to watch it for days without losing logging entries.

No, it wouldn’t. Once the packet is accepted by a rule, processing stops there, following rules are not checked.