Hello!
You could use normal iptables commands for firewall logging. Iptables logs the items to the system log (read with logread), so the log can fill quickly if you have lots of traffic.
Firewall zone config is LuCI offers the possibility to log rejected/dropped connections. That is in zone's options, advanced tab.
E.g. enabling the drop/reject logging for wan creates the following rules:
root@LEDE:~# iptables-save | grep -i log
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m limit --limit 10/sec -m comment --comment "!fw3: wan (mtu_fix logging)" -j LOG --log-prefix "MSSFIX(wan): "
-A zone_wan_dest_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(dest wan)"
-A zone_wan_src_REJECT -m limit --limit 10/sec -m comment --comment "!fw3" -j LOG --log-prefix "REJECT(src wan)"
Modifying the logging rules by hand requires naturally some iptables knowledge and understanding of the various rule chains (and tables) in the firewall.
E.g. manually create a rule to log all incoming UDP packets from interface eth0.2 to port 2222:
iptables -I PREROUTING -t mangle -i eth0.2 -p udp --dst-port 2222 -j LOG
Best regards, Aliaksandr!
