On Sun, Feb 02, 2003 at 08:43:51PM +1000, Marco Grigull wrote: > # forward stuff to our loghost/IDS > pass in log on $ext_if dup-to $dmz_if all > pass out log quick on $dmz_if all > block in log quick on $dmz_if all > > These are the FIRST rules in the ruleset. > I would think that the first line makes a copy of all packets on ext_if to dmz_if, > regardless of wether they get blocked later or not. Or is that incorrect logic?
No, that's a wrong assumption. Only the last matching rule matters. Any previously matching rules are completely irrelevant, their options like log or dup-to are not applied. You have to make sure your dup-to rule is the last matching one, or add the dup-to option to all last-matching rules that should use dup-to. > PS. what happens to the logging of a packet that matches a rule further down, that > doesnt specify logging? is this interfering with the cloned packet in any way? >Should dup-to > packets be explicitly logged when the log keyword is used? See above, log is only used if the last matching rule has that option. dup-to and log are unrelated options, you can dup-to with or without logging and log with or without dup-to. Daniel