On Wed, Mar 11, 2020 at 04:59:22PM +0100, Hans-Peter Jansen wrote:
Hi,
do you know a method to capture the packages before they are discarded?
No. The only thing like this is --set-log-denied, but that only does basic logging.
I do see a couple of "interesting" packages, that I would like to examine a bit further (e.g. with wireshark)
The usual way would be using ulogd, but according to gh#268 https:// github.com/firewalld/firewalld/issues/268, this is out of scope ATM.
When looking into the source, a general implementation seems pretty straight forward, with the most work being configuration/interfaces, but of course, this will raise questions of scatter logging into the ruleset everywhere <shrug>, proper testing, etc.
# LogTarget # Define alternate logging target, eg. ULOG, NFLOG # Default: LOG LogTarget=LOG
# LogPrefixOption # Log prefix option, eg. --nflog-prefix, --ulog-prefix # Default: "--log-prefix" LogPrefixOption="--log-prefix"
# LogTargetOptions # Options for alternate logging target, eg. --nflog-group 32 # Default: "" LogTargetOptions=
When making firewalld ulogd aware (ULOG, NFLOG), we could hardcode the LogPrefixOption, and simply call LogTargetOptions LogTargetGroup.
Opinions?
Ideally we'd add a new target for rich rules, e.g. NFLOG. Then you could use a low precedence catch-all rich rule which would execute right before the accept/drop for the zone. e.g.
firewall-cmd --add-rich-rule='rule priority=32767 ... nflog prefix=.. group=..'
Unfortunately the "nflog" action doesn't exist yet. Should be fairly easy to add. If you'd like to see it added, then please file an issue on github.
Eric.