Firewalld - Logging denied packets enabled - not logging

linux security iptables firewall firewalld
15,948

Solution 1

The problem seems to be related to a bug as said in the comment. However, for those who are still having trouble to get the logging of firewall denial packets, the following approach worked for me:

The following worked with firewalld + rsyslogd

Edit /etc/sysconfig/firewalld and update the value for LogDenied to all (or as required)

LogDenied=all

restart firewalld

sudo systemctl restart firewalld

Alternatively, using the command line, one can execute the following command:

sudo firewall-cmd --set-log-denied all

This typically adds logging rules just before reject/drop rules in the firewall, something like:

LOG  all  --  anywhere   anywhere  LOG level warning prefix "IN_drop_DROP: "
LOG  all  --  anywhere   anywhere  LOG level warning prefix "FINAL_REJECT: "

Create a file named /etc/rsyslog.d/custom_iptables.conf and add the following statements to it:

:msg,contains,"_DROP" /var/log/iptables.log
& stop
:msg,contains,"_REJECT" /var/log/iptables.log
& stop

restart rsyslog

sudo systemctl restart rsyslog

Now the dropped and rejected packets will be logged to /var/log/iptables.log

Solution 2

Awesome job, this helped me go down the right path, I appreciate the post.

The only thing I noticed is that I believe that the location for LogDenied=all should be /etc/firewalld/firewalld.conf since /etc/sysconfig/firewalld is for startup command line options. Additionally the file for rsyslog might be better named with a .conf, sometimes default include statements might not look for a .log file.

Really good job VanagaS!

ref: https://firewalld.org/documentation/man-pages/firewalld.conf.html

Share:
15,948

Related videos on Youtube

Matt B
Author by

Matt B

Updated on September 18, 2022

Comments

  • Matt B
    Matt B over 1 year

    I am using Firewalld and the drop zone is the default zone with an interface assigned to the zone.

    I then have rich rules to allow some traffic through the drop zone and I have enabled firewall-cmd --set-log-denied=all. I would of thought that this would log anything that attempts to connect to the server that doesn't come from the white-listed rich rule... but it won't log. I ran port scans against the server and the /var/log/messages doesn't show any of the denied ports logs.

    However when I set the default zone to public and assign the interface to public, it does log denied packets when I run another port scan.

    Why?

  • VanagaS
    VanagaS over 4 years
    Thank you for the heads up!
  • VanagaS
    VanagaS over 4 years
    Please follow as advised by #kondor6c in one of the answers.
  • ven42
    ven42 about 3 years
    In your custom_iptables.conf, you will likely also want to add a & stop line after the "_DROP" line, not just after the "_REJECT" line. A & stop line only applies to the one line immediately above it. As it's currently written, "_DROP" messages will get double-logged to both the iptables.log file and the main system log.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

iptables blocking from internet side on eth1?
Iptables: Block all countries except my own for specific port
Reset firewalld rules to default?
iptables - Block incoming on Eth1 and Allow All from eth0
Iptables: Blocking outbound traffic except to certain IP addresses
A secure, standard iptables rule-set for a basic HTTP(s) webserver
Why not block ICMP?
REJECT vs DROP when using iptables
Debugging iptables and common firewall pitfalls?
What is sport and dport?