Firewalld Logging Issue: Why Drop Zone Doesn’t Log Denied Packets While Public Zone Does


4 views

When working with Firewalld's logging functionality for denied packets, many administrators encounter an unexpected behavior where logging works in the public zone but fails in the drop zone. Let's examine this in detail.

The typical configuration scenario looks like this:

# Basic setup with drop zone
firewall-cmd --set-default-zone=drop
firewall-cmd --zone=drop --add-interface=eth0
firewall-cmd --set-log-denied=all

Despite this configuration, packets dropped by the drop zone won't appear in /var/log/messages, while the same packets would be logged if the default zone were set to public.

The fundamental difference lies in how Firewalld processes packets in these zones:

  1. Drop zone: Silently discards packets without any response (RFC-compliant behavior)
  2. Public zone: Rejects packets with an ICMP response (which can be logged)

To achieve logging in the drop zone, consider these approaches:

1. Use REJECT instead of DROP policy

firewall-cmd --zone=drop --set-target=REJECT
firewall-cmd --reload

2. Add explicit logging rules

# For specific ports
firewall-cmd --zone=drop --add-rich-rule='rule port port="22" protocol="tcp" reject type="icmp-port-unreachable" log prefix="firewalld-drop:" level="info"'

# For all traffic
firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" reject type="icmp-port-unreachable" log prefix="firewalld-drop:" level="info"'

After applying these changes, test your configuration:

# Check active rules
firewall-cmd --zone=drop --list-all

# Monitor logs in real-time
tail -f /var/log/messages | grep firewalld-drop

For more sophisticated logging, consider using the NFLOG target:

firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" destination not address="192.168.1.0/24" nflog prefix="firewalld-drop:"'

This requires additional setup with ulogd for packet capture and analysis.

Remember that while logging dropped packets is valuable for security monitoring, it can:

  • Increase log volume significantly
  • Impact performance during port scans or attacks
  • Potentially expose information about your firewall rules

Always balance logging needs with system performance and security requirements.

I recently encountered an interesting behavior with Firewalld's logging functionality that might help others facing similar issues. When using the drop zone as the default zone with logging enabled (firewall-cmd --set-log-denied=all), denied packets weren't being logged to /var/log/messages, despite explicit rich rules allowing specific traffic.

The key observation was that logging worked perfectly when using the public zone as default, but failed silently when using the drop zone. This suggests the logging behavior differs between zones, even with the same global logging setting.

After investigating, I found that the drop zone's default behavior is to silently drop packets without logging. Even with --set-log-denied=all, this zone-specific behavior takes precedence. Here's how to verify your current logging configuration:

# Check current log-denied setting
firewall-cmd --get-log-denied

# Check zone information
firewall-cmd --info-zone=drop
firewall-cmd --info-zone=public

To enable logging in the drop zone, you need to explicitly add logging rules. Here's how to implement it:

# Add logging for rejected packets in drop zone
firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" reject type="icmp-host-unreachable" limit value="5/m" log prefix="firewalld-drop: "'

# For IPv6
firewall-cmd --zone=drop --add-rich-rule='rule family="ipv6" reject type="icmp6-addr-unreachable" limit value="5/m" log prefix="firewalld-drop: "'

After applying these rules, test with nmap and check logs:

# Run a port scan against your server
nmap -Pn your.server.ip

# Check logs in real-time
tail -f /var/log/messages | grep firewalld-drop

If you need more control, consider creating a custom zone that combines drop behavior with logging:

# Create new zone
firewall-cmd --new-zone=logging-drop --permanent
firewall-cmd --reload

# Set default policy to drop with logging
firewall-cmd --zone=logging-drop --set-target=DROP
firewall-cmd --zone=logging-drop --add-rich-rule='rule family="ipv4" reject type="icmp-host-unreachable" log prefix="custom-drop: "'
firewall-cmd --zone=logging-drop --add-rich-rule='rule family="ipv6" reject type="icmp6-addr-unreachable" log prefix="custom-drop: "'

# Assign interface
firewall-cmd --zone=logging-drop --change-interface=eth0

Remember that excessive logging can impact performance and fill disk space. The examples above include rate limiting (5 logs per minute). Adjust based on your needs:

# Adjust log rate limit
firewall-cmd --zone=drop --remove-rich-rule='rule family="ipv4" reject type="icmp-host-unreachable" limit value="5/m" log prefix="firewalld-drop: "'
firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" reject type="icmp-host-unreachable" limit value="10/s" log prefix="firewalld-drop: "'