On Fri, Oct 29, 2021 at 06:04:43AM -0700, Kenneth Porter wrote:
I'm using --set-log-denied to see who is poking my system and for
debugging. I divert the resulting log to its own rotated log file to avoid
cluttering other logs.
I note that a lot of entries are from my own LAN and are noisy broadcast
discovery programs that are looking for printers and other devices. I don't
want to open the port on my system, but I also don't want those packets
cluttering my logs. Is there a way, apart from a direct rule, to just eat
those packets with a silent DENY so they don't hit the log-deny rules?
You can use a rich rule to log just before the zone's catch-all drop of
# firewall-cmd --permanent --zone <zone> \
--add-rich-rule='rule priority=32767 log \
prefix="RICH_DROPPED: " \
This example limits logs to 10 per hour and only for packets in the
You can add more rich rules just before (lower priority value) this one
to drop/reject before the log occurs. Or you can enhance the logging
rich rule to match a subset of the zone's traffic.
Hope that helps.