Couldn’t find it in Yast-Firewall or did I miss it?
I don’t know if firewall logging is already enabled but my /var/log/firewall, firewalld are empty atm.
I’d like to have it enabled and logging level at warning or something?
OK I find the thread saying the log is in
sudo journalctl -u SuSEfirewall2
Also I find the Yast-firewall-options-“change log denied”. It’s currently off. It means it doesn’t log denied attempt? I’m changing it to all.
First check if you are still running SuSEfirewall2 or firewalld.
Check the current status with
sudo systemctl status firewalld
sudo systemctl status SuSEfirewall2
Assuming firewalld is running, you can launch the GUI with
su -c firewall-config
and under the options menu it is possible to change the ‘Log Denied’ value as desired.
Log Denied Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones. Possible values are: all, unicast, broadcast, multicast and off.
LogDenied=off
I’ve changed it to log all. I suppose it’s now logging all denied access in /var/log/firewalld?
I don’t know if that’s the highest level of logging but my /var/log/firewalld is still empty.
I googled a bit more and found there’s this setting at /etc/sysconfig/firewalld, where one can set
FIREWALLD_ARGS=–debug=10 (mine now is empty after “=”)
Should I touch this setting if I want more activities in log?
Did you restart the firewalld after changing the log option?
Given that “bonedriven” is using the Red Hat “firewalld”, within the Firewalld configuration there’s a, IMHO, very confusing configuration parameter in ‘/etc/firewalld/firewalld.conf’:
- LogDenied
According to the man page:
The default setting is off, which disables the logging.
AFAICS, this means if, “LogDenied” is set to one of ‘all’, ‘unicast’, ‘broadcast’ or ‘multicast’ then, logging will occur for everything except, the defined logging level.I haven’t tested this yet but, will check it possibly later today …
Correction:
At a guess, “LogDenied” means «Log packets denied»: meaning, provided the interface isn’t assigned to the zone “trusted” – ‘nothing is denied’ – the denied packets of type ‘unicast’, ‘broadcast’ or ‘multicast’ or ‘all’, will be logged …
Yeah I reboot the machine. I’m just surprised the firewalld log is always empty, after hours of running.
I agree. I’ve setup with Standard zone “block” – assigned to the interface “eth0” – logging “all” denied packets …
- Rebooted.
- In /var/log/firewalld – nothing …
- In the systemd journal: yes – lots of traces like this: “kernel: IN_block_REJECT: IN=eth0 OUT= MAC= SRC=fe80:0000:0000:0000:16da:e9ff:feec:a04d DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=527 TC=0 HOPLIMIT=255 FLOWLBL=804001 PROTO=UDP SPT=5353 DPT=5353 LEN=487”
Why the system is running, not nicely, but running – I have absolutely no idea …
- At boot time, packets were being blocked before wicked enabled the interface …
[HR][/HR]Reference URLs:Debug firewalld: <https://firewalld.org/documentation/howto/debug-firewalld.html>.
How to log drops and rejects by firewalld – as of 2014, you can’t: <https://ask.fedoraproject.org/en/question/45014/how-to-log-drops-and-rejects-by-firewalld/>.
Logging Packet Drops in Firewalld: <https://bluehatrecord.wordpress.com/2014/04/17/logging-packet-drops-in-firewalld/>.
As a test I configured the firewall on a host (192.168.0.12) with
firewall-cmd --set-log-denied=all
The firewall had no allowed services configured and I then attempted to connect via another host (192.168.0.10) using SSH.
This failed attempt was logged in /var/log/firewall (as expected)…
2019-02-02T17:18:19.850216+13:00 linux-l31z kernel: [14210.811086] FINAL_REJECT: IN=eth0 OUT= MAC=08:00:27:74:e4:b1:94:b8:6d:b3:f8:f3:08:00 SRC=192.168.0.10 DST=192.168.0.12 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=9940 DF PROTO=TCP SPT=55055 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
2019-02-02T17:18:22.850093+13:00 linux-l31z kernel: [14213.811265] FINAL_REJECT: IN=eth0 OUT= MAC=08:00:27:74:e4:b1:94:b8:6d:b3:f8:f3:08:00 SRC=192.168.0.10 DST=192.168.0.12 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=9941 DF PROTO=TCP SPT=55055 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0
FWIW, additional flexibility with logging can be achieved using rich-rules as described in this blog…
https://bluehatrecord.wordpress.com/2014/04/17/logging-packet-drops-in-firewalld/
Thank you. So the lesson is to change deny logging to all and look into /var/log/firewall instead of /var/log/firewalld. I now find the log for the dropped packets.
Happy to have been of help. 