Bug 1147951 – firewall-cmd should support a default logging option.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1147951 - firewall-cmd should support a default logging option.

Summary:	firewall-cmd should support a default logging option.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	rc
Target Release:	---
Assigned To:	Thomas Woerner
QA Contact:	Tomas Dolezal
Docs Contact:	Mirek Jahoda

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1203710 1205796 1296594 1313485
	Show dependency tree / graph

Reported:	2014-09-30 07:47 EDT by Jamie Duncan
Modified:	2016-11-03 17:00 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	firewalld-0.4.2-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-03 17:00:24 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2597	normal	SHIPPED_LIVE	Moderate: firewalld security, bug fix, and enhancement update	2016-11-03 08:11:47 EDT

Groups: None (edit)

Description Jamie Duncan 2014-09-30 07:47:53 EDT

In many cases, you want to log any connection that is not allowed through your firewall.

firewall-cmd should have a built-in option for adding this capability.

This should, by default, exclude multicast and other broadcast traffic but options should be included for enabling logging for such.

Suggestion:

firewall-cmd --log-dropped --zone <zone> [--log-broadcast] [--log-custom <port>]

Comment 8 Thomas Woerner 2016-01-29 07:27:23 EST

Fixed upstream: https://github.com/t-woerner/firewalld/commit/5cb1ce169448d601b5b024ee4d31a77cf1808636

Comment 9 Thomas Woerner 2016-01-29 07:29:57 EST

Fixed upstream: https://github.com/t-woerner/firewalld/commit/014d3345e7fb6436df94f0bad22c5166a4d0e157

New LogDenied support

If LogDenied is enabled, logging rules right before reject and drop rules in
the INPUT, FORWARD and OUTPUT chains for the default rules and also final
reject and drop rules in zones.

Possible values for LogDenied are: all, unicast, broadcast, multicast and off.

Fixes issue #59

Comment 11 Mike McCune 2016-03-28 19:42:22 EDT

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 15 errata-xmlrpc 2016-11-03 17:00:24 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html

Note You need to log in before you can comment on or make changes to this bug.