Linux – Firewalld – Logging denied packets enabled – not logging

firewallfirewalldiptableslinuxSecurity

I am using Firewalld and the drop zone is the default zone with an interface assigned to the zone.

I then have rich rules to allow some traffic through the drop zone and I have enabled firewall-cmd --set-log-denied=all. I would of thought that this would log anything that attempts to connect to the server that doesn't come from the white-listed rich rule… but it won't log. I ran port scans against the server and the /var/log/messages doesn't show any of the denied ports logs.

However when I set the default zone to public and assign the interface to public, it does log denied packets when I run another port scan.

Why?

Best Answer

The problem seems to be related to a bug as said in the comment. However, for those who are still having trouble to get the logging of firewall denial packets, the following approach worked for me:

The following worked with firewalld + rsyslogd

Edit /etc/sysconfig/firewalld and update the value for LogDenied to all (or as required)

LogDenied=all

restart firewalld

sudo systemctl restart firewalld

Alternatively, using the command line, one can execute the following command:

sudo firewall-cmd --set-log-denied all

This typically adds logging rules just before reject/drop rules in the firewall, something like:

LOG  all  --  anywhere   anywhere  LOG level warning prefix "IN_drop_DROP: "
LOG  all  --  anywhere   anywhere  LOG level warning prefix "FINAL_REJECT: "

Create a file named /etc/rsyslog.d/custom_iptables.conf and add the following statements to it:

:msg,contains,"_DROP" /var/log/iptables.log
& stop
:msg,contains,"_REJECT" /var/log/iptables.log
& stop

restart rsyslog

sudo systemctl restart rsyslog

Now the dropped and rejected packets will be logged to /var/log/iptables.log

Related Topic