On Fri, Oct 29, 2021 at 06:04:43AM -0700, Kenneth Porter wrote:
I'm using --set-log-denied to see who is poking my system and for
general
debugging. I divert the resulting log to its own rotated log file to avoid
cluttering other logs.
I note that a lot of entries are from my own LAN and are noisy broadcast
discovery programs that are looking for printers and other devices. I don't
want to open the port on my system, but I also don't want those packets
cluttering my logs. Is there a way, apart from a direct rule, to just eat
those packets with a silent DENY so they don't hit the log-deny rules?
You can use a rich rule to log just before the zone's catch-all drop of
the packet.
# firewall-cmd --permanent --zone <zone> \
--add-rich-rule='rule priority=32767 log \
prefix="RICH_DROPPED: " \
limit="10/h"'
This example limits logs to 10 per hour and only for packets in the
specified zone.
You can add more rich rules just before (lower priority value) this one
to drop/reject before the log occurs. Or you can enhance the logging
rich rule to match a subset of the zone's traffic.
Hope that helps.
E.