How to enable firewalld logging for denied packets on Linux

How do I enable FirewallD logging for denied packets on Linux operating systems so that I can view all dropped packets information? How can I view a log of the traffic blocked by FirewallD under a CentOS/RHEL (Red Hat Enterprise Linux)/Suse/OpenSUSE Linux?

The firewalld gives a dynamically managed Linux firewall to protect your network connections, services, and interfaces. This page explains how to use the LogDenied option in the firewalld to enable a logging mechanism for denied packets on Linux operating systems.

ADVERTISEMENTS

How to enable firewalld logging on Linux

We can set LogDenied options in the /etc/firewalld/firewalld.conf file. Another option is to use the firewall-cmd command. Once enabled, your Linux box will log all the packets that are rejected or dropped by FirewallD. There are multiple methods to enable firewalld logging. Try any one of the following method:

Configuring logging for denied packets {firewalld.conf method}

Edit the /etc/firewalld/firewalld.conf, enter:
sudo vi /etc/firewalld/firewalld.conf
Find:
LogDenied=off
Replace:
LogDenied=all
Save and close the file in vi/vim. Restart the firewalld service, run:
sudo systemctl restart firewalld.service
OR
sudo systemctl reload firewalld.service
OR
sudo firewall-cmd --reload
By default LogDenied option is turned off. The LogDenied option turns on logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones. Possible values are: all, unicast, broadcast, multicast and off. For shell scripts we can use the combination of the grep command and sed command as follows:

grep '^LogDenied' /etc/firewalld/firewalld.conf
grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf && echo "Change it" || echo "No need to change"
grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf | sed -i'Backup' 's/LogDenied=off/LogDenied=all/' /etc/firewalld/firewalld.conf

Firewalld enable logging {firewall-cmd method}

In this method we are going to use the firewall-cmd command as follows.

Find and list the actual LogDenie settings

sudo firewall-cmd --get-log-denied

Change the actual LogDenie settings

sudo firewall-cmd --set-log-denied=all
Verify it:
sudo firewall-cmd --get-log-denied

Firewalld log denied packets

Log dropped packets using firewalld in CentOS or RHEL 7/8

Enabling firewalld log using a GUI configuration tool {firewall-config method}

Fedora or CentOS or OpenSUSE desktop users can try GUI method. Open the terminal window and then open firewalld GUI configuration tool. In other words, start firewall-config as follows:
firewall-config

CentOS RHEL Fedora OpenSUSE Linux enable firewalld logging GUI

firewalld GUI configuration tool

Find and click the “Options” menu and select “Change Log Denied” option. Choose the new LogDenied setting from the menu and click OK:
FirewallD configuring logging for denied packets in Linux

How do I view denied packets?

Use the grep command or journalctl command:
journalctl -x -e
OR we use the combination of dmesg and grep as follows:
dmesg
dmesg | grep -i REJECT

Sample outputs:

[20042.637753] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=218.26.176.3 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=55921 PROTO=TCP SPT=57604 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 
[20046.765558] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=57597 PROTO=TCP SPT=44042 DPT=3464 WINDOW=1024 RES=0x00 SYN URGP=0 
[20047.814002] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=120.147.208.68 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=26712 DF PROTO=TCP SPT=61102 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[20055.064170] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=192.241.218.101 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=43855 DPT=2082 WINDOW=65535 RES=0x00 SYN URGP=0 
[20069.898251] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=28418 PROTO=TCP SPT=44042 DPT=3489 WINDOW=1024 RES=0x00 SYN URGP=0 
[20083.001724] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40426 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 
[20086.000830] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40888 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 
[20092.000875] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=41676 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 
[20117.283302] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=124.156.241.62 DST=172.xxx.yyy.zzz LEN=40 TOS=0x08 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=46206 DPT=9997 WINDOW=65535 RES=0x00 SYN URGP=0 
[20120.870817] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=202.141.249.180 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=28320 DF PROTO=TCP SPT=53409 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[20129.579209] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=185.176.27.110 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=62492 PROTO=TCP SPT=56008 DPT=3334 WINDOW=1024 RES=0x00 SYN URGP=0 
[20160.927205] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=201.25.123.138 DST=172.xxx.yyy.zzz LEN=52 TOS=0x08 PREC=0x20 TTL=112 ID=9284 DF PROTO=TCP SPT=63427 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 
[20172.446500] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=198.46.135.194 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=5662 PROTO=TCP SPT=41553 DPT=8423 WINDOW=1024 RES=0x00 SYN URGP=0

How to log all dropped packets to /var/log/firewalld-droppd.log file

Create a new config file called /etc/rsyslog.d/firewalld-droppd.conf on your CentOS/RHEL v7/8 server:
$ sudo vim /etc/rsyslog.d/firewalld-droppd.conf
Append the following configuration

:msg,contains,"_DROP" /var/log/firewalld-droppd.log
:msg,contains,"_REJECT" /var/log/firewalld-droppd.log
& stop

$ sudo systemctl restart rsyslog.service
Now watch log using the cat command/grep command/egrep command or tail command:
$ sudo tail -f /var/log/firewalld-droppd.log

Conclusion

Keeping an eye on rejected and dropped packets using firewalld is an essential task for Linux system administrators. It allows you to avoid security issues and monitor attacks. Hence, we must enable and log dropped packets using firewalld in RHEL/CentOS/Fedora and SUSE/OpenSUSE Linux. See firewalld documentation for more info.

This entry is 4 of 4 in the Linux FirewallD Tutorial series. Keep reading the rest of the series:
  1. RHEL 8 FirewallD
  2. CentOS 8 FirewallD
  3. OpenSUSE 15.1 FirewallD
  4. Enable FirewallD logging for denied packets

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
Network Utilitiesdig host ip nmap
Package Managerapk apt
Processes Managementbg chroot disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.