Am Mittwoch, 11. März 2020, 19:29:02 CET schrieb Eric Garver:
On Wed, Mar 11, 2020 at 04:59:22PM +0100, Hans-Peter Jansen wrote:
Hi,
do you know a method to capture the packages before they are discarded?
No. The only thing like this is --set-log-denied, but that only does basic logging.
Well, that doesn't help with many cases. Some of them, I'm facing right now.
Ideally we'd add a new target for rich rules, e.g. NFLOG. Then you could use a low precedence catch-all rich rule which would execute right before the accept/drop for the zone. e.g.
firewall-cmd --add-rich-rule='rule priority=32767 ... nflog prefix=..
group=..'
Unfortunately the "nflog" action doesn't exist yet. Should be fairly easy to add. If you'd like to see it added, then please file an issue on github.
Here we go: https://github.com/firewalld/firewalld/issues/587
If I understand you correctly, given a high enough priority, other use cases like live monitoring and accounting could be realized this way as well.
Thanks, Pete