Wondering how to enable FirewallD logging for denied packets on Linux? We can help you with it.
Here at Bobcares, we have seen several such FirewallD related queries as part of our Server Management Services for web hosts and online service providers.
Today we’ll take a look at how to enable FirewallD logging for denied packets on Linux.
How to enable FirewallD logging for denied packets on Linux
Now let’s take a look at how our Support Engineers enable the FirewallD logging.
In the /etc/firewalld/firewalld.conf file, we can set LogDenied options. Another option is to use the firewall-cmd command. After enabling it, the Linux system will log all the packets that are rejected or dropped by FirewallD. There are multiple methods to enable FirewallD logging. They are:
1. firewalld.conf method
2. firewall-cmd method
3. firewall-config method
1. Configuring logging for denied packets {firewalld.conf method}
First, we edit the /etc/firewalld/firewalld.conf.
sudo vi /etc/firewalld/firewalld.confCopy Code
In this file, we find the below code.
LogDenied=off
Then we replace it with below:
LogDenied=all
After that, we save and close the file. Then we restart the FirewallD service by running the below command.
sudo systemctl restart firewalld.serviceCopy Code
The LogDenied option is turned off by default. The LogDenied option turns on logging rules right before reject and drop rules in the INPUT, FORWARD, and OUTPUT chains for the default rules and also final reject and drop rules in zones. The possible values are all, unicast, broadcast, multicast, and off.
For shell scripts we can use the combination of the grep command and sed command as below:
grep '^LogDenied' /etc/firewalld/firewalld.conf
grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf && echo "Change it" || echo "No need to change"
grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf | sed -i'Backup' 's/LogDenied=off/LogDenied=all/' /etc/firewalld/firewalld.confCopy Code
2. Firewalld enable logging {firewall-cmd method} on Linux
First, we find and list the actual LogDenied settings
sudo firewall-cmd --get-log-deniedCopy Code
Next, we change the actual LogDenied settings
sudo firewall-cmd --set-log-denied=allCopy Code
After that, we verify it by running the below command.
sudo firewall-cmd --get-log-deniedCopy Code
3. Enable FirewallD log using a GUI configuration tool {firewall-config method}
Fedora or CentOS or OpenSUSE desktop users can try the GUI method.
First, we open the terminal window and then open the FirewallD GUI configuration tool. In other words, start firewall-config as follows:
firewall-configCopy Code
Now, we find and click the “Options” menu and select the “Change Log Denied” option. Here, we choose the new LogDenied setting from the menu and click OK.
How to view denied packets?
In order to view the denied packets, we run the below command.
journalctl -x -eCopy Code
Or else, we use the combination of dmesg and grep as follows:
dmesg
dmesg | grep -i REJECTCopy Code
How to log all dropped packets to /var/log/firewalld-droppd.log file
First, we create a new config file called /etc/rsyslog.d/firewalld-droppd.conf on the CentOS/RHEL v7/8 server.
$ sudo vim /etc/rsyslog.d/firewalld-droppd.confCopy Code
Then we append the following configuration
:msg,contains,"_DROP" /var/log/firewalld-droppd.log :msg,contains,"_REJECT" /var/log/firewalld-droppd.log & stop
$ sudo systemctl restart rsyslog.serviceCopy Code
Finally, we can watch the log using the cat command/grep command/egrep command or tail command:
$ sudo tail -f /var/log/firewalld-droppd.logCopy Code
[Need any further assistance with FirewallD related queries? – We are here to help you.]
Conclusion
It is an important task to keep an eye on the rejected and dropped packets using FirewallD for Linux system administrators. In today’s writeup, we saw how our Support Engineers enable FirewallD logging for denied packets on Linux.
GREAT! Thank you very much. It took me a while to find out which log file the denied requests would end up in.