1

edit: after the first comment, I adapted the question

When adding a rule in GUFW/Advanced there are three choices for logging. From the man ufw page/sectin LOGGING i learned

  • do not log - log nothing
  • log - logs all blocked packets for that rule and maybe new/invalid packets. There is a rate limiting
  • log-all - logs all packets with rate limit

As ufw has the log levels (off/low/medium/high/full) its not clear what the mapping is, but it seems sure that everything beside "off" should log all packets that are caught by the rule where log is set.

According to man ufw logging goes into the syslog together with a lot of other suff. So naturally I would expect the GUI Log page to show those log entries.

However, I did not manage to get any packet log entries listed in the Log pane. How can that be done?

CatMan
  • 1,449
  • Since GUFW is a front end to ufw you will likely find the answer to your first question in man ufw (in short, they refer to the per-rule logging capability and correspond to no logging, logging of new connections, and logging of all packets respectively) – steeldriver Sep 20 '18 at 15:46
  • Thanks for the hint. Didn't think of the obvious. Adding the question with that info, because whats left is how to see it – CatMan Sep 20 '18 at 16:16

1 Answers1

0

The GUI does not show the log.

The log goes to the journal. You can see it best with the console command

 sudo journalctl -f
  [UFW AUDIT] IN= OUT=eno1 SRC=192.168.1.1 DST=151.101.1.69 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=37400 DF PROTO=TCP SPT=52452 DPT=443 WINDOW=1102 RES=0x00 ACK URGP=0

This shows the acutal added log entries. Here an allowed outgoing connection to remote IP 151.101.1.69 with TCP on port 443. You can use this to fine-tune the firewall settings, e.g. when you want to restrict outgoing traffic as well.

The log level should be set to "low" using the following command because the logs quickly grow to several gigabytes.

 sudo ufw logging low
CatMan
  • 1,449