{"id":4179,"date":"2021-10-06T12:28:20","date_gmt":"2021-10-06T17:28:20","guid":{"rendered":"https:\/\/www.incredigeek.com\/home\/?p=4179"},"modified":"2021-10-06T12:38:00","modified_gmt":"2021-10-06T17:38:00","slug":"enable-logging-for-firewalld","status":"publish","type":"post","link":"https:\/\/www.incredigeek.com\/home\/enable-logging-for-firewalld\/","title":{"rendered":"Enable Logging for firewalld"},"content":{"rendered":"\n<p>Enabling logging on firewall rules can be beneficial for tracking why a certain rule is not behaving as you intended.  <\/p>\n\n\n\n<p>Enabling logging is relatively straight forward.  <\/p>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Enable Firewall Logging<\/li><li>Check Logs<\/li><li>Disable Firewall Logging (Optional)<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-3.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"120\" src=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-3-1024x120.png\" alt=\"\" class=\"wp-image-4181\" srcset=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-3-1024x120.png 1024w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-3-300x35.png 300w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-3-768x90.png 768w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-3-500x59.png 500w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-3.png 1429w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Enable Firewall Logging<\/h2>\n\n\n\n<p>Quickest way to enable logging is to run<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo firewall-cmd --set-log-denied=all<\/pre>\n\n\n\n<p>This changes the options in the \/etc\/firewalld\/firewalld.conf config file.  Options include all, unicast, broadcast, multicast, and off<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"678\" height=\"122\" src=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-2.png\" alt=\"\" class=\"wp-image-4180\" srcset=\"https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-2.png 678w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-2-300x54.png 300w, https:\/\/www.incredigeek.com\/home\/wp-content\/uploads\/2021\/10\/image-2-500x90.png 500w\" sizes=\"auto, (max-width: 678px) 100vw, 678px\" \/><\/a><figcaption>Enable Log option for firewalld<\/figcaption><\/figure>\n\n\n\n<p>The command also reloads the firewall so manually restarting the firewall is necessary.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Checking Logs<\/h2>\n\n\n\n<p>You can use dmesg to view the failed attempts or you can follow the messages log and filter to just show the rejects<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo tail -f \/var\/log\/messages | grep -i REJECT<\/pre>\n\n\n\n<p>You can now try to access the server or run a test to trigger a log event.  In my case I tried initiating a SSH connection.  <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Oct  1 16:32:10 localhost kernel: FINAL_REJECT: IN=eno1 OUT= MAC=f8:ab:98:12:fe:11:a1:ec:a6:00:67:3e:97:00 <strong>SRC=192.168.1.1<\/strong> DST=192.168.88.2 LEN=60 TOS=0x08 PREC=0x40 TTL=59 ID=43080 DF PROTO=TCP SPT=38192 <strong>DPT=22<\/strong> WINDOW=52240 RES=0x00 SYN URGP=0<\/pre>\n\n\n\n<p>Interesting bits are bolded.  Our destination port it 22 &#8220;ssh&#8221; and our source address is 192.168.1.1.  If I want this IP to access the server, I&#8217;ll need to add the 192.168.1.1 IP range in the allowed IP ranges.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Disable Logging (Optional)<\/h2>\n\n\n\n<p>After you have finished troubleshooting your problem, you may want to turn the logging feature off so you don&#8217;t fill up the logs with failed entries.<\/p>\n\n\n\n<p>You can turn it off with <\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo firewall-cmd --set-log-denied=off<\/pre>\n\n\n\n<p>We can verify that logging is off by running<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sudo firewall-cmd --get-log-denied <\/pre>\n\n\n\n<p>If the firewall logging option is off it will return &#8220;off&#8221;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>The following site has some more information and alternative ways<\/p>\n\n\n\n<p><a href=\"https:\/\/www.cyberciti.biz\/faq\/enable-firewalld-logging-for-denied-packets-on-linux\/\">https:\/\/www.cyberciti.biz\/faq\/enable-firewalld-logging-for-denied-packets-on-linux\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Enabling logging on firewall rules can be beneficial for tracking why a certain rule is not behaving as you intended. Enabling logging is relatively straight forward. Enable Firewall Logging Check Logs Disable Firewall Logging (Optional) Enable Firewall Logging Quickest way &hellip; <a href=\"https:\/\/www.incredigeek.com\/home\/enable-logging-for-firewalld\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,573],"tags":[160,205,7,234,1250,235,1246],"class_list":["post-4179","post","type-post","status-publish","format-standard","hentry","category-linux","category-security","tag-firewall","tag-firewalld","tag-linux-2","tag-log","tag-logging","tag-logs","tag-troubleshooting"],"_links":{"self":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/4179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/comments?post=4179"}],"version-history":[{"count":7,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/4179\/revisions"}],"predecessor-version":[{"id":4189,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/posts\/4179\/revisions\/4189"}],"wp:attachment":[{"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/media?parent=4179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/categories?post=4179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.incredigeek.com\/home\/wp-json\/wp\/v2\/tags?post=4179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}