How to enable firewalld logging for denied packets on Linux

last updated in Categories , , , , ,

How do I enable FirewallD logging for denied packets on Linux operating systems so that I can view all dropped packets information? How can I view a log of the traffic blocked by FirewallD under a CentOS/RHEL (Red Hat Enterprise Linux)/Suse/OpenSUSE Linux?

The firewalld gives a dynamically managed Linux firewall to protect your network connections, services, and interfaces. This page explains how to use the LogDenied option in the firewalld to enable a logging mechanism for denied packets on Linux operating systems.

Advertisements

How to enable firewalld logging on Linux

We can set LogDenied options in the /etc/firewalld/firewalld.conf file. Another option is to use the firewall-cmd command. Once enabled, your Linux box will log all the packets that are rejected or dropped by FirewallD.

Method # 1 – Configuring logging for denied packets

Edit the /etc/firewalld/firewalld.conf, enter:
sudo vi /etc/firewalld/firewalld.conf
Find:
LogDenied=off
Replace:
LogDenied=all
Save and close the file in vi/vim. Restart the firewalld service, run:
sudo systemctl restart firewalld.service
OR
sudo systemctl reload firewalld.service
OR
sudo firewall-cmd --reload
By default LogDenied option is turned off. The LogDenied option turns on logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones. Possible values are: all, unicast, broadcast, multicast and off. For shell scripts we can use the combination of the grep command and sed command as follows:

grep '^LogDenied' /etc/firewalld/firewalld.conf
grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf && echo "Change it" || echo "No need to change"
grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf | sed -i'Backup' 's/LogDenied=off/LogDenied=all/' /etc/firewalld/firewalld.conf

Method # 2 – Firewalld enable logging

In this method we are going to use the firewall-cmd command as follows.

Find and list the actual LogDenie settings

sudo firewall-cmd --get-log-denied

Change the actual LogDenie settings

sudo firewall-cmd --set-log-denied=all
Verify it:
sudo firewall-cmd --get-log-denied

Firewalld log denied packets
Log dropped packets using firewalld in CentOS or RHEL 7/8

Method # 3 – firewalld GUI configuration tool

Open the firewalld GUI configuration tool. In other words, start firewall-config. Open the Terminal app and type:
firewall-config

CentOS RHEL Fedora OpenSUSE Linux enable firewalld logging GUI
firewalld GUI configuration tool

Find and click the “Options” menu and select “Change Log Denied” option. Choose the new LogDenied setting from the menu and click OK:
FirewallD configuring logging for denied packets in Linux

How do I view denied packets?

Use the grep command or journalctl command:
journalctl -x -e
OR we use the combination of dmesg and grep as follows:
dmesg
dmesg | grep -i REJECT

Sample outputs:

[20042.637753] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=218.26.176.3 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=55921 PROTO=TCP SPT=57604 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 
[20046.765558] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=57597 PROTO=TCP SPT=44042 DPT=3464 WINDOW=1024 RES=0x00 SYN URGP=0 
[20047.814002] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=120.147.208.68 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=26712 DF PROTO=TCP SPT=61102 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[20055.064170] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=192.241.218.101 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=43855 DPT=2082 WINDOW=65535 RES=0x00 SYN URGP=0 
[20069.898251] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=28418 PROTO=TCP SPT=44042 DPT=3489 WINDOW=1024 RES=0x00 SYN URGP=0 
[20083.001724] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40426 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 
[20086.000830] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40888 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 
[20092.000875] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=41676 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 
[20117.283302] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=124.156.241.62 DST=172.xxx.yyy.zzz LEN=40 TOS=0x08 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=46206 DPT=9997 WINDOW=65535 RES=0x00 SYN URGP=0 
[20120.870817] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=202.141.249.180 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=28320 DF PROTO=TCP SPT=53409 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[20129.579209] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=185.176.27.110 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=62492 PROTO=TCP SPT=56008 DPT=3334 WINDOW=1024 RES=0x00 SYN URGP=0 
[20160.927205] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=201.25.123.138 DST=172.xxx.yyy.zzz LEN=52 TOS=0x08 PREC=0x20 TTL=112 ID=9284 DF PROTO=TCP SPT=63427 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[20172.446500] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=198.46.135.194 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=5662 PROTO=TCP SPT=41553 DPT=8423 WINDOW=1024 RES=0x00 SYN URGP=0

Conclusion

Keeping an eye on rejected and dropped packets using firewalld is an essential task for Linux system administrators. It allows you to avoid security issues and monitor attacks. Hence, we must enable and log dropped packets using firewalld in RHEL/CentOS/Fedora and SUSE/OpenSUSE Linux. See firewalld docs here for more info.

This entry is 4 of 4 in the Linux FirewallD Tutorial series. Keep reading the rest of the series:
  1. RHEL 8 FirewallD
  2. CentOS 8 FirewallD
  3. OpenSUSE 15.1 FirewallD
  4. Enable FirewallD logging for denied packets

ADVERTISEMENTS

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com

Historical Comment Archive

1 comment

    Still, have a question? Get help on our forum!