On 02/12/2014 09:47 AM, Christian Lupien wrote:
I just recently converted my iptables rules to firewalld. Most of it was
straightforward. However I had trouble with trying to log my rejected
My old /etc/sysconfig/iptables INPUT chain ended with
-A INPUT -m limit --limit 6/hour --limit-burst 10 -j LOG
-A INPUT -j REJECT --reject-with icmp-host-prohibited
Is there a simple way to do this with firewalld?
No, there is no simple way at the moment. But I have "simple logging" on
my todo list.
If not could it be implemented. I find that logging rejected packets
sometimes help find trouble with the firewall setup.
I want to have a firewall debug mode, where you could see which rules
are active. I also have plans for a learning mode, in which the firewall
could suggest solutions for dropped packages or problems. Also
monitoring should be doable with these two. But this is only some idea
at the moment and we do not have a lot of resources to realize this for
I was able to find a work around with some direct passthrough
but it is fragile (depends on the current firewalld entries creation
order and naming structure).
We might be able to have a simple and small versions of the above
shortly to be able to add log rules for rejects and drops.
firewalld-users mailing list