How to enable firewalld logging for denied packets on Linux

ADVERTISEMENTS



How to enable firewalld logging on Linux

How do I enable FirewallD logging for denied packets on Linux operating systems so that I can view all dropped packets information? How can I view a log of the traffic blocked by FirewallD under a CentOS/RHEL (Red Hat Enterprise Linux)/Suse/OpenSUSE Linux?The firewalld gives a dynamically managed Linux firewall to protect your network connections, services, and interfaces. This page explains how to use the LogDenied option in the firewalld to enable a logging mechanism for denied packets on Linux operating systems.

We can set LogDenied options in the /etc/firewalld/firewalld.conf file. Another option is to use the firewall-cmd command. Once enabled, your Linux box will log all the packets that are rejected or dropped by FirewallD. There are multiple methods to enable firewalld logging. Try any one of the following method:

Configuring logging for denied packets { firewalld.conf method }

Edit the /etc/firewalld/firewalld.conf, enter:

sudo vi /etc/firewalld/firewalld.conf

Find:

LogDenied=off

Replace:

LogDenied=all

Save and close the file in vi/vim. Restart the firewalld service, run:

sudo systemctl restart firewalld.service

OR

sudo systemctl reload firewalld.service

OR

sudo firewall-cmd --reload

By default LogDenied option is turned off. The LogDenied option turns on logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones. Possible values are: all, unicast, broadcast, multicast and off. For shell scripts we can use the combination of the grep command and sed command as follows:

grep '^LogDenied' / etc / firewalld / firewalld.conf grep -q -i '^LogDenied=off' / etc / firewalld / firewalld.conf && echo "Change it" || echo "No need to change" grep -q -i '^LogDenied=off' / etc / firewalld / firewalld.conf | sed -i 'Backup' 's/LogDenied=off/LogDenied=all/' / etc / firewalld / firewalld.conf grep '^LogDenied' /etc/firewalld/firewalld.conf grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf && echo "Change it" || echo "No need to change" grep -q -i '^LogDenied=off' /etc/firewalld/firewalld.conf | sed -i'Backup' 's/LogDenied=off/LogDenied=all/' /etc/firewalld/firewalld.conf

Firewalld enable logging { firewall-cmd method }

In this method we are going to use the firewall-cmd command as follows.

Find and list the actual LogDenie settings

sudo firewall-cmd --get-log-denied

Change the actual LogDenie settings

sudo firewall-cmd --set-log-denied=all

Verify it:

sudo firewall-cmd --get-log-denied



Enabling firewalld log using a GUI configuration tool { firewall-config method }

Fedora or CentOS or OpenSUSE desktop users can try GUI method. Open the terminal window and then open firewalld GUI configuration tool. In other words, start firewall-config as follows:

firewall-config



How do I view denied packets?

Find and click the “Options” menu and select “Change Log Denied” option. Choose the new LogDenied setting from the menu and click OK:

Use the grep command or journalctl command:

journalctl -x -e

OR we use the combination of dmesg and grep as follows:

dmesg

dmesg | grep -i REJECT

Sample outputs:

[ 20042.637753 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=218.26.176.3 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=55921 PROTO=TCP SPT=57604 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 [ 20046.765558 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=57597 PROTO=TCP SPT=44042 DPT=3464 WINDOW=1024 RES=0x00 SYN URGP=0 [ 20047.814002 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=120.147.208.68 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=26712 DF PROTO=TCP SPT=61102 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 [ 20055.064170 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=192.241.218.101 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=43855 DPT=2082 WINDOW=65535 RES=0x00 SYN URGP=0 [ 20069.898251 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=28418 PROTO=TCP SPT=44042 DPT=3489 WINDOW=1024 RES=0x00 SYN URGP=0 [ 20083.001724 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40426 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 [ 20086.000830 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40888 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 [ 20092.000875 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=41676 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 [ 20117.283302 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=124.156.241.62 DST=172.xxx.yyy.zzz LEN=40 TOS=0x08 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=46206 DPT=9997 WINDOW=65535 RES=0x00 SYN URGP=0 [ 20120.870817 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=202.141.249.180 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=28320 DF PROTO=TCP SPT=53409 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 [ 20129.579209 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=185.176.27.110 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=62492 PROTO=TCP SPT=56008 DPT=3334 WINDOW=1024 RES=0x00 SYN URGP=0 [ 20160.927205 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=201.25.123.138 DST=172.xxx.yyy.zzz LEN=52 TOS=0x08 PREC=0x20 TTL=112 ID=9284 DF PROTO=TCP SPT=63427 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 [ 20172.446500 ] FINAL_REJECT: IN = eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=198.46.135.194 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=5662 PROTO=TCP SPT=41553 DPT=8423 WINDOW=1024 RES=0x00 SYN URGP=0 [20042.637753] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=218.26.176.3 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=55921 PROTO=TCP SPT=57604 DPT=1433 WINDOW=1024 RES=0x00 SYN URGP=0 [20046.765558] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=240 ID=57597 PROTO=TCP SPT=44042 DPT=3464 WINDOW=1024 RES=0x00 SYN URGP=0 [20047.814002] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=120.147.208.68 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=26712 DF PROTO=TCP SPT=61102 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 [20055.064170] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=192.241.218.101 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=54321 PROTO=TCP SPT=43855 DPT=2082 WINDOW=65535 RES=0x00 SYN URGP=0 [20069.898251] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=80.82.70.239 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=28418 PROTO=TCP SPT=44042 DPT=3489 WINDOW=1024 RES=0x00 SYN URGP=0 [20083.001724] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40426 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 [20086.000830] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=40888 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 CWR ECE SYN URGP=0 [20092.000875] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=95.217.132.22 DST=172.xxx.yyy.zzz LEN=52 TOS=0x00 PREC=0x00 TTL=113 ID=41676 DF PROTO=TCP SPT=51883 DPT=3389 WINDOW=64240 RES=0x00 SYN URGP=0 [20117.283302] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=124.156.241.62 DST=172.xxx.yyy.zzz LEN=40 TOS=0x08 PREC=0x00 TTL=238 ID=54321 PROTO=TCP SPT=46206 DPT=9997 WINDOW=65535 RES=0x00 SYN URGP=0 [20120.870817] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=202.141.249.180 DST=172.xxx.yyy.zzz LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=28320 DF PROTO=TCP SPT=53409 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 [20129.579209] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=185.176.27.110 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=62492 PROTO=TCP SPT=56008 DPT=3334 WINDOW=1024 RES=0x00 SYN URGP=0 [20160.927205] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:c1:08:00 SRC=201.25.123.138 DST=172.xxx.yyy.zzz LEN=52 TOS=0x08 PREC=0x20 TTL=112 ID=9284 DF PROTO=TCP SPT=63427 DPT=445 WINDOW=8192 RES=0x00 SYN URGP=0 [20172.446500] FINAL_REJECT: IN=eth0 OUT= MAC=f2:3c:92:1f:88:72:84:78:ac:5a:19:41:08:00 SRC=198.46.135.194 DST=172.xxx.yyy.zzz LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=5662 PROTO=TCP SPT=41553 DPT=8423 WINDOW=1024 RES=0x00 SYN URGP=0

How to log all dropped packets to /var/log/firewalld-droppd.log file

Create a new config file called /etc/rsyslog.d/firewalld-droppd.conf on your CentOS/RHEL v7/8 server:

$ sudo vim /etc/rsyslog.d/firewalld-droppd.conf

Append the following configuration

:msg,contains,"_DROP" /var/log/firewalld-droppd.log :msg,contains,"_REJECT" /var/log/firewalld-droppd.log & stop

$ sudo systemctl restart rsyslog.service

Now watch log using the cat command/grep command/egrep command or tail command:

$ sudo tail -f /var/log/firewalld-droppd.log

Conclusion

Keeping an eye on rejected and dropped packets using firewalld is an essential task for Linux system administrators. It allows you to avoid security issues and monitor attacks. Hence, we must enable and log dropped packets using firewalld in RHEL/CentOS/Fedora and SUSE/OpenSUSE Linux. See firewalld documentation for more info.



4 of 4 in the Linux FirewallD Tutorial series. Keep reading the rest of the series: RHEL 8 FirewallD CentOS 8 FirewallD OpenSUSE 15.1 FirewallD Enable FirewallD logging for denied packets This entry isofin theseries. Keep reading the rest of the series:

Category List of Unix and Linux commands File Management cat Network Utilities dig • host • ip • nmap Package Manager apk • apt Processes Management bg • chroot • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time Searching grep • whereis • which User Information groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w