Firewalld - Logging denied packets enabled - not logging
Solution 1
The problem seems to be related to a bug as said in the comment. However, for those who are still having trouble to get the logging of firewall denial packets, the following approach worked for me:
The following worked with firewalld
+ rsyslogd
Edit /etc/sysconfig/firewalld
and update the value for LogDenied
to all
(or as required)
LogDenied=all
restart firewalld
sudo systemctl restart firewalld
Alternatively, using the command line, one can execute the following command:
sudo firewall-cmd --set-log-denied all
This typically adds logging rules just before reject/drop rules in the firewall, something like:
LOG all -- anywhere anywhere LOG level warning prefix "IN_drop_DROP: "
LOG all -- anywhere anywhere LOG level warning prefix "FINAL_REJECT: "
Create a file named /etc/rsyslog.d/custom_iptables.conf
and add the following statements to it:
:msg,contains,"_DROP" /var/log/iptables.log
& stop
:msg,contains,"_REJECT" /var/log/iptables.log
& stop
restart rsyslog
sudo systemctl restart rsyslog
Now the dropped and rejected packets will be logged to /var/log/iptables.log
Solution 2
Awesome job, this helped me go down the right path, I appreciate the post.
The only thing I noticed is that I believe that the location for LogDenied=all
should be /etc/firewalld/firewalld.conf
since /etc/sysconfig/firewalld
is for startup command line options. Additionally the file for rsyslog might be better named with a .conf, sometimes default include statements might not look for a .log file.
Really good job VanagaS!
ref: https://firewalld.org/documentation/man-pages/firewalld.conf.html
Related videos on Youtube
Matt B
Updated on September 18, 2022Comments
-
Matt B over 1 year
I am using Firewalld and the drop zone is the default zone with an interface assigned to the zone.
I then have rich rules to allow some traffic through the drop zone and I have enabled
firewall-cmd --set-log-denied=all
. I would of thought that this would log anything that attempts to connect to the server that doesn't come from the white-listed rich rule... but it won't log. I ran port scans against the server and the /var/log/messages doesn't show any of the denied ports logs.However when I set the default zone to public and assign the interface to public, it does log denied packets when I run another port scan.
Why?
-
VanagaS over 4 yearsThank you for the heads up!
-
VanagaS over 4 yearsPlease follow as advised by #kondor6c in one of the answers.
-
ven42 about 3 yearsIn your
custom_iptables.conf
, you will likely also want to add a& stop
line after the "_DROP" line, not just after the "_REJECT" line. A& stop
line only applies to the one line immediately above it. As it's currently written, "_DROP" messages will get double-logged to both theiptables.log
file and the main system log.