pve-firewall no logs even on level debug

[tim taler]

Hi,
what's wrong with firewall logging?

the pve firewall in my cluster seems to work fine except it shows no logs?

I set
"/etc/pve/nodes/<nodenmae>/host.fw"

to:
---snipp---
[OPTIONS]

tcpflags: 1
smurf_log_level: info
tcp_flags_log_level: info
log_level_in: debug
log_level_out: debug
---snapp---

but if I try to access the server through a banned device there are no log entries in
/var/log/pve-firewall.log
just:

---snipp---
...
0 5 - 07/Feb/2019:11:56:33 +0100 starting pvefw logger
0 5 - 07/Feb/2019:11:56:37 +0100 received terminate request (signal)
0 5 - 07/Feb/2019:11:56:37 +0100 stopping pvefw logger
0 5 - 07/Feb/2019:11:56:38 +0100 starting pvefw logger
0 5 - 07/Feb/2019:12:08:39 +0100 received terminate request (signal)
0 5 - 07/Feb/2019:12:08:39 +0100 stopping pvefw logger
0 5 - 07/Feb/2019:12:11:04 +0100 starting pvefw logger
0 5 - 07/Feb/2019:12:11:09 +0100 received terminate request (signal)
0 5 - 07/Feb/2019:12:11:09 +0100 stopping pvefw logger
0 5 - 07/Feb/2019:12:11:09 +0100 starting pvefw logger
...
---snapp---

does there have to be some logging rules in
/etc/pve/firewall/cluster.fw?
(becuase there I didn't mention logging anywhere)
TIA

 

[spirit]

currently, the logs is only for the final default reject or drop. (not accept, and not for rules).

 

[Ciprian Tomoiaga]

Thanks for confirming, @spirit !

Has this been enhanced recently? If no, will it ever be?

Should we resort to manual iptables rules ? If so, can you please give an example? I'm not sure in which table to add, given all the proxmox-added ones.

Many thanks,
Ciprian

 

[jsterr]

currently, the logs is only for the final default reject or drop. (not accept, and not for rules).

Is this still valid in 2025. Can we somehow show accepts as well?