I have a rich firewalld rule with a "log" option:
# firewall-cmd --list-rich-rules
< ... >
rule family="ipv4" forward-port port="[port]" protocol="tcp" to-port="[port]" to- addr="[ip addr]" log level="info" limit value="[log frequency]"
Actual numbers changed to protect the guilty.
I cannot find anything being logged, anywhere. According to firewalld.richlanguage, this should get logged to syslog. The default rsyslog.conf specifies all info-level messages going to /var/log/messages:
.info;mail.none;authpriv.none;cron.none /var/log/messages
Port forwarding is working, but even when I hit the port I see nothing get logged.
Just on the lark, I also tried 'journalctl -f", and nothing shows up there, either.
firewalld is using the netfilters backend.
After some head-banging, and copious searching:
# nft list table inet firewalld
I found this in the output:
chain nat_PRE_FedoraServer_allow { meta nfproto ipv4 tcp dport [port] dnat ip to [host:port] }
I see nothing here that suggests that anything is going to get logged.
So, I'm just guessing that firewall-cmd either does not implement the log option, in the net-filter back-end, or the net-filter back-end simply does not implement any kind of logging (which seems unlikely).
Anyone know anything more on this?
On Sun, 20 Feb 2022 at 21:10, Sam Varshavchik mrsam@courier-mta.com wrote:
I have a rich firewalld rule with a "log" option:
# firewall-cmd --list-rich-rules
< ... >
rule family="ipv4" forward-port port="[port]" protocol="tcp" to-port="[port]" to- addr="[ip addr]" log level="info" limit value="[log frequency]"
Actual numbers changed to protect the guilty.
I cannot find anything being logged, anywhere. According to firewalld.richlanguage, this should get logged to syslog. The default rsyslog.conf specifies all info-level messages going to /var/log/messages:
.info;mail.none;authpriv.none;cron.none /var/log/messages
Port forwarding is working, but even when I hit the port I see nothing get logged.
Just on the lark, I also tried 'journalctl -f", and nothing shows up there, either.
firewalld is using the netfilters backend.
After some head-banging, and copious searching:
# nft list table inet firewalld
I found this in the output:
chain nat_PRE_FedoraServer_allow { meta nfproto ipv4 tcp dport [port] dnat ip to [host:port] }I see nothing here that suggests that anything is going to get logged.
So, I'm just guessing that firewall-cmd either does not implement the log option, in the net-filter back-end, or the net-filter back-end simply does not implement any kind of logging (which seems unlikely).
Anyone know anything more on this?
https://thermalcircle.de/doku.php?id=blog:linux:nftables_packet_flow_netfilt...
The author says he used logs to work out the details, but doesn't says how the logs were obtained. There is lots of old stuff on netfilter logging:
Logging traffic - nftables wiki https://wiki.nftables.org/wiki-nftables/index.php/Logging_traffic (from 2017) uses ulogd.
Keeping firewall logs out of Linux’s kernel log with ulogd2 – The ongoing struggle (strugglers.net) https://strugglers.net/~andy/blog/2021/07/24/keeping-firewall-logs-out-of-linuxs-kernel-log-with-ulogd2/
George N. White III writes:
<URL:https://thermalcircle.de/doku.php? id=blog:linux:nftables_packet_flow_netfilter_hooks_detail>https://thermalcirc le.de/doku.php?id=blog:linux:nftables_packet_flow_netfilter_hooks_detail
My attention span was not sufficient for that one.
The author says he used logs to work out the details, but doesn't says how the logs were obtained. There is lots of old stuff on netfilter logging:
<URL:https://wiki.nftables.org/wiki- nftables/index.php/Logging_traffic>Logging traffic - nftables wiki (from 2017) uses ulogd.
So, there is a logging facility, of some sorts, in nft.
But I already had logging working when firewalld was using iptables. The rich rule that specifies logging is still there. Nothing happened to it.
firewall-config even shows this rule. firewall-config has a checkbox to, allegedly, enable logging. When showing this rule firewall-config even shows this checkbox as selected. So far so good, but the forward march of progress ends abruptly, at this point:
No logging.
Also, curiously, I don't seem to be able to edit this rule in firewall- config. It shows it but won't let me edit it. The rich rule was added directly via firewall-cmd, so at some level firewalld knows about it. Except that it is not fully implemented in the UI, and fully unimplemented in the netfilter backend. At least the rule itself is there, and its core functionality is there. But the logging is sorely missed.
Perusing the nftables wiki it does seem that firewalld /should/ be able to grok this, and it's simply not implemented. I'll just cross my fingers, and patiently wait for it to catch up with iptables.
A shot in the dark: the old iptables-based rule specified a rate limit on the logging. The nft wiki page makes no mention of rate limit. I wonder if that's the firewalld limitation, it just ignores the log spefication because of that?
-
George N. White III -
Sam Varshavchik