Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
5.17. Configuring Logging for Denied Packets
With the
LogDenied
option in the firewalld
, it is possible to add a simple logging mechanism for denied packets. These are the packets that are rejected or dropped. To change the setting of the logging, edit the /etc/firewalld/firewalld.conf
file or use the command-line or GUI configuration tool.
If
LogDenied
is enabled, logging rules are added right before the reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also the final reject and drop rules in zones. The possible values for this setting are: all
, unicast
, broadcast
, multicast
, and off
. The default setting is off
. With the unicast
, broadcast
, and multicast
setting, the pkttype
match is used to match the link-layer packet type. With all
, all packets are logged.
To list the actual
LogDenied
setting with firewall-cmd, use the following command as root
:
~]# firewall-cmd --get-log-denied
off
To change the
LogDenied
setting, use the following command as root
:
~]# firewall-cmd --set-log-denied=all
success
To change the
LogDenied
setting with the firewalld
GUI configuration tool, start firewall-config, click the Options menu and select Change Log Denied. The LogDenied
window appears. Select the new LogDenied
setting from the menu and click OK.