On Sun, 20 Feb 2022 at 21:10, Sam Varshavchik <mrsam(a)courier-mta.com> wrote:
I have a rich firewalld rule with a "log" option:
# firewall-cmd --list-rich-rules
< ... >
rule family="ipv4" forward-port port="[port]"
protocol="tcp"
to-port="[port]" to-
addr="[ip addr]" log level="info" limit value="[log
frequency]"
Actual numbers changed to protect the guilty.
I cannot find anything being logged, anywhere. According to
firewalld.richlanguage, this should get logged to syslog. The default
rsyslog.conf specifies all info-level messages going to /var/log/messages:
.info;mail.none;authpriv.none;cron.none /var/log/messages
Port forwarding is working, but even when I hit the port I see nothing
get
logged.
Just on the lark, I also tried 'journalctl -f", and nothing shows up
there,
either.
firewalld is using the netfilters backend.
After some head-banging, and copious searching:
# nft list table inet firewalld
I found this in the output:
chain nat_PRE_FedoraServer_allow {
meta nfproto ipv4 tcp dport [port] dnat ip to [host:port]
}
I see nothing here that suggests that anything is going to get logged.
So, I'm just guessing that firewall-cmd either does not implement the log
option, in the net-filter back-end, or the net-filter back-end simply
does
not implement any kind of logging (which seems unlikely).
Anyone know anything more on this?
https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netf...
The author says he used logs to work out the details, but doesn't says how
the logs were
obtained. There is lots of old stuff on netfilter logging:
Logging traffic - nftables wiki
<
https://wiki.nftables.org/wiki-nftables/index.php/Logging_traffic> (from
2017) uses ulogd.
Keeping firewall logs out of Linux’s kernel log with ulogd2 – The ongoing
struggle (
strugglers.net)
<
https://strugglers.net/~andy/blog/2021/07/24/keeping-firewall-logs-out-of...
--
George N. White III