When configuring firewall rules to be as strict as required, you may have some troubles understanding why something you thought was allowed is, actually, not. And to track down this kind of issues, some logs might help. Here is a small copy-pasta to enable firewalld logging.

Enable “Access Denied”

firewalld can log events to rsyslog, the events journal in most linux distribution. This can be enable either at runtime (that won’t persist across service restarts) or by configuration to keep it enabled for longer periods.

1
2
3
4
5
6
7

# Either reconfigure the runtime (cleared on next reload)
sudo firewall-cmd --set-log-denied=all
# Or change a config file (persistent)
sudo sed -i.bak -E 's/#?LogDenied=off/LogDenied=all/' /etc/firewalld/firewalld.conf && \
	sudo firewall-cmd --reload # Reload the service to enable `LogDenied` option
# Then, check
sudo firewall-cmd --get-log-denied

Then, we’ll put rejection logs in {{logFileName}}.

1
2
3
4
5
6
7

cat <<EOF | sudo tee /etc/rsyslog.d/{{logFileName}}.conf
:msg,contains,"_DROP" /var/log/{{logFileName}}.log
:msg,contains,"_REJECT" /var/log/{{logFileName}}.log
& stop
EOF
sudo systemctl restart rsyslog.service
sudo tail -f /var/log/{{logFileName}}.log

Yay ! Now, your can look at /var/log/{{logFileName}}.log to see denied messages info !