I am using Firewalld and the drop zone is the default zone with an interface assigned to the zone.
I then have rich rules to allow some traffic through the drop zone and I have enabled firewall-cmd --set-log-denied=all
. I would of thought that this would log anything that attempts to connect to the server that doesn't come from the white-listed rich rule… but it won't log. I ran port scans against the server and the /var/log/messages doesn't show any of the denied ports logs.
However when I set the default zone to public and assign the interface to public, it does log denied packets when I run another port scan.
Why?
Best Answer
The problem seems to be related to a bug as said in the comment. However, for those who are still having trouble to get the logging of firewall denial packets, the following approach worked for me:
The following worked with
firewalld
+rsyslogd
Edit
/etc/sysconfig/firewalld
and update the value forLogDenied
toall
(or as required)restart firewalld
Alternatively, using the command line, one can execute the following command:
This typically adds logging rules just before reject/drop rules in the firewall, something like:
Create a file named
/etc/rsyslog.d/custom_iptables.conf
and add the following statements to it:restart rsyslog
Now the dropped and rejected packets will be logged to
/var/log/iptables.log