Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1147951 - firewall-cmd should support a default logging option.
firewall-cmd should support a default logging option.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld (Show other bugs)
7.0
All Linux
high Severity high
: rc
: ---
Assigned To: Thomas Woerner
Tomas Dolezal
Mirek Jahoda
:
Depends On:
Blocks: 1203710 1205796 1296594 1313485
  Show dependency treegraph
 
Reported: 2014-09-30 07:47 EDT by Jamie Duncan
Modified: 2016-11-03 17:00 EDT (History)
8 users (show)

See Also:
Fixed In Version: firewalld-0.4.2-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 17:00:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2597 normal SHIPPED_LIVE Moderate: firewalld security, bug fix, and enhancement update 2016-11-03 08:11:47 EDT

  None (edit)
Description Jamie Duncan 2014-09-30 07:47:53 EDT
In many cases, you want to log any connection that is not allowed through your firewall.

firewall-cmd should have a built-in option for adding this capability.

This should, by default, exclude multicast and other broadcast traffic but options should be included for enabling logging for such.

Suggestion:

firewall-cmd --log-dropped --zone <zone> [--log-broadcast] [--log-custom <port>]
Comment 9 Thomas Woerner 2016-01-29 07:29:57 EST
Fixed upstream: https://github.com/t-woerner/firewalld/commit/014d3345e7fb6436df94f0bad22c5166a4d0e157

New LogDenied support

If LogDenied is enabled, logging rules right before reject and drop rules in
the INPUT, FORWARD and OUTPUT chains for the default rules and also final
reject and drop rules in zones.

Possible values for LogDenied are: all, unicast, broadcast, multicast and off.

Fixes issue #59
Comment 11 Mike McCune 2016-03-28 19:42:22 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 15 errata-xmlrpc 2016-11-03 17:00:24 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html

Note You need to log in before you can comment on or make changes to this bug.