Am Mittwoch, 11. März 2020, 19:29:02 CET schrieb Eric Garver:
On Wed, Mar 11, 2020 at 04:59:22PM +0100, Hans-Peter Jansen wrote:
> do you know a method to capture the packages before they are discarded?
No. The only thing like this is --set-log-denied, but that only does
Well, that doesn't help with many cases. Some of them, I'm facing right now.
Ideally we'd add a new target for rich rules, e.g. NFLOG. Then
use a low precedence catch-all rich rule which would execute right
before the accept/drop for the zone.
firewall-cmd --add-rich-rule='rule priority=32767 ... nflog prefix=..
Unfortunately the "nflog" action doesn't exist yet.
Should be fairly
easy to add. If you'd like to see it added, then please file an issue on
Here we go:
If I understand you correctly, given a high enough priority, other use cases
like live monitoring and accounting could be realized this way as well.