Bug 1147951

Summary: firewall-cmd should support a default logging option.
Product: Red Hat Enterprise Linux 7 Reporter: Jamie Duncan <jduncan>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: high Docs Contact: Mirek Jahoda <mjahoda>
Priority: high    
Version: 7.0CC: bressers, creynold, pcfe, pdwyer, pvrabec, riehecky, todoleza, twoerner
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firewalld-0.4.2-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 21:00:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1203710, 1205796, 1296594, 1313485    

Description Jamie Duncan 2014-09-30 11:47:53 UTC 
In many cases, you want to log any connection that is not allowed through your firewall.

firewall-cmd should have a built-in option for adding this capability.

This should, by default, exclude multicast and other broadcast traffic but options should be included for enabling logging for such.

Suggestion:

firewall-cmd --log-dropped --zone <zone> [--log-broadcast] [--log-custom <port>]
Comment 8 Thomas Woerner 2016-01-29 12:27:23 UTC 
Fixed upstream: https://github.com/t-woerner/firewalld/commit/5cb1ce169448d601b5b024ee4d31a77cf1808636
Comment 9 Thomas Woerner 2016-01-29 12:29:57 UTC 
Fixed upstream: https://github.com/t-woerner/firewalld/commit/014d3345e7fb6436df94f0bad22c5166a4d0e157

New LogDenied support

If LogDenied is enabled, logging rules right before reject and drop rules in
the INPUT, FORWARD and OUTPUT chains for the default rules and also final
reject and drop rules in zones.

Possible values for LogDenied are: all, unicast, broadcast, multicast and off.

Fixes issue #59
Comment 11 Mike McCune 2016-03-28 23:42:22 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 15 errata-xmlrpc 2016-11-03 21:00:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html