13

I'm running Fedora 20 and would like to see what my firewall is doing in the background. Is it possible to view a log of the traffic blocked by FirewallD?

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
David Armstrong
  • 133
  • 1
  • 1
  • 4
  • [Configuring Logging for Denied Packets](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/configuring_logging_for_denied_packets) – stackprotector Jun 15 '22 at 08:27

4 Answers4

16

I know this is a dated post, but I've been searching for this today, and have found tons of old blogs that attempt to address this issue. For the public, this update from Red Hat should be more available than only to subscribers:

Upgrade to firewalld-0.4.3.2-8.el7 from Errata RHSA-2016:2597

Specify which packets should be logged

firewall-cmd --set-log-denied=<value>

value may be one of: all, unicast, broadcast, multicast, or off

Source: https://access.redhat.com/solutions/1191593

liberteh
  • 191
  • 1
  • 4
7

According to this page, the FirewallD logs are at /var/log/firewalld. To get debug messages, you need to run it with --debug or --debug=2.

Michael Mrozek
  • 91,316
  • 38
  • 238
  • 232
rickhg12hs
  • 1,193
  • 7
  • 19
7

You need append the line in /etc/sysconfig/firewalld
for maximum details:

FIREWALLD_ARGS=--debug=10

Then restart firewalld service

sudo systemctl restart firewalld

It's better, than edit /usr/lib/systemd/system/firewalld.service.

TPS
  • 2,483
  • 5
  • 27
  • 45
zlyoha
  • 134
  • 2
  • 4
6

For logging the traffic blocked by firewalld, the following approach with rsyslogd worked for me:

Edit /etc/sysconfig/firewalld and update the value for LogDenied to all (or as required)

LogDenied=all

restart firewalld

sudo systemctl restart firewalld

This typically adds logging rules just before reject/drop rules in the firewall, something like:

LOG  all  --  anywhere   anywhere  LOG level warning prefix "IN_drop_DROP: "
LOG  all  --  anywhere   anywhere  LOG level warning prefix "FINAL_REJECT: "

Create a file named /etc/rsyslog.d/custom_iptables.conf (note extension is.conf) and add the following statements to it:

:msg,contains,"_DROP" /var/log/iptables.log
:msg,contains,"_REJECT" /var/log/iptables.log
& stop

restart rsyslog

sudo systemctl restart rsyslog

Now the dropped and rejected packets will be logged to /var/log/iptables.log

Girish
  • 3
  • 1
VanagaS
  • 744
  • 7
  • 6
  • ⁺¹, I confirm seeing rejected entries in `journalctl -f`. FWIW, initially, basing on the other answer, I only did the LogDenied=all part, but it was not enough. – Hi-Angel Sep 13 '19 at 23:39
  • 1
    since nowadays firewalld doesn't use iptables by default, may I recommend to rename `_iptables.conf` → to `_firewalld.conf` to lessen confusion? – Hi-Angel Sep 13 '19 at 23:41
  • Ok, I'm just redoing this on the other PC using this answer, and I noted one discrepancy worth mentioning: I don't have `/etc/sysconfig` dir, instead I'm editing `/etc/firewalld/firewalld.conf` file. I didn't notice it the last time I used this answer because `LogDenied=all` step I did using the other answer. – Hi-Angel Sep 20 '19 at 06:49