commit 821f04205d505da14587896cf436cbab5dba4dd9 Author: Thomas Woerner Date: Fri Sep 16 16:11:53 2016 +0200 firewall.core.fw_zone: Fix LOG rule placement for LogDenied The LOG rule needs to be placed exactly before the DROP or REJECT rule and not afterwards. diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py index d72caa5..97596bc 100644 --- a/src/firewall/core/fw_zone.py +++ b/src/firewall/core/fw_zone.py @@ -325,13 +325,13 @@ class FirewallZone(object): chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: if target in [ "REJECT", "%%REJECT%%" ]: transaction.add_rule( - ipv, [ "-I", _zone, "5", "-t", table, + ipv, [ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_REJECT: \"" % _zone ]) if target == "DROP": transaction.add_rule( - ipv, [ "-I", _zone, "5", "-t", table, + ipv, [ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_DROP: \"" % _zone ])