Add flag/parametr to log all dropped packets.

[marcinbojko]

Hi. I couldn't find an easy way to control dropped packets using firewalld module.
Since firewalld-0.4.3.2-8.el7 we have option --set-log-denied=, which can take values: all, unicast, broadcast, multicast, or off

Source: https://access.redhat.com/solutions/1191593
(login required).
Is it possible to add this parameter to this module?

[crayfishx]

HI @marcinbojko - this looks like a valid feature and I agree the module should support this

[crayfishx]

The documentation on the RHEL site seems a bit wrong - it states....

Once the command has been set you can check the command with:
egrep -i ^log /etc/firewalld/firewalld.conf || echo "no match" >&2
LogDenied=all

When in fact, firewalld supports the following

[root@localhost /]# firewall-cmd --get-log-denied
multicast

[crayfishx]

@marcinbojko Maybe you can clear something up here - I've been playing with this feature but it introduces some odd behaviour....

Starting with a zone with rich rules configured.

[root@localhost tests]# firewall-cmd --permanent --zone public --list-rich-rules
rule family="ipv4" source address="10.10.10.50" port port="8803" protocol="tcp" accept

Then I set log_denied....

[root@localhost tests]# firewall-cmd --set-log-denied=multicast
success

Now the rich rules are no longer configured.

[root@localhost tests]# firewall-cmd --permanent --zone public --list-rich-rules

When we restart firewalld they come back. This is a little tricky, and yet more dependency headaches around restarting firewalld. It looks to me that we must restart firewalld immediately after running --set-log-denied otherwise the state of all the other resources in the catalog are affected.

[marcinbojko]

I'll generate a test machine to check this.

[crayfishx]

@marcinbojko See #156

[marcinbojko]

Ok, quick investigation:
Installed Packages
firewalld.noarch 0.4.3.2-8.1.el7_3.3

1. State BEFORE any changes

firewall-cmd --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="0.0.0.0/0" port port="61613" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="10050" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="10000" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="8140" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="22" protocol="tcp" log level="warning" accept

2. applying firewall-cmd --set-log-denied=multicast
success

No changes in 'list-all'

firewall-cmd --list-all
work (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="0.0.0.0/0" port port="61613" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="10050" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="10000" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="8140" protocol="tcp" log level="warning" accept
	rule family="ipv4" source address="0.0.0.0/0" port port="22" protocol="tcp" log level="warning" accept

3. But firewall-cmd --permanent --zone work --list-all

work
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

4. Quick test - are rules working? - yes, they are.

sudo nping -tcp 10.99.15.69 -p 8140

Starting Nping 0.7.01 ( https://nmap.org/nping ) at 2017-09-12 10:29 CEST
SENT (0.0650s) TCP 10.80.0.221:14235 > 10.99.15.69:8140 S ttl=64 id=27035 iplen=40  seq=3802121916 win=1480 
RCVD (0.2354s) TCP 10.99.15.69:8140 > 10.80.0.221:14235 RA ttl=62 id=28982 iplen=40  seq=1452244790 win=0 
SENT (1.0653s) TCP 10.80.0.221:14235 > 10.99.15.69:8140 S ttl=64 id=27035 iplen=40  seq=3802121916 win=1480 
RCVD (1.2554s) TCP 10.99.15.69:8140 > 10.80.0.221:14235 RA ttl=62 id=29849 iplen=40  seq=771456053 win=0 
SENT (2.0673s) TCP 10.80.0.221:14235 > 10.99.15.69:8140 S ttl=64 id=27035 iplen=40  seq=3802121916 win=1480 
RCVD (2.2753s) TCP 10.99.15.69:8140 > 10.80.0.221:14235 RA ttl=62 id=30691 iplen=40  seq=634995359 win=0 
SENT (3.0687s) TCP 10.80.0.221:14235 > 10.99.15.69:8140 S ttl=64 id=27035 iplen=40  seq=3802121916 win=1480 

Max rtt: 207.976ms | Min rtt: 170.379ms | Avg rtt: 189.436ms
Raw packets sent: 4 (160B) | Rcvd: 3 (138B) | Lost: 1 (25.00%)
Nping done: 1 IP address pinged in 3.11 seconds

5. So maybe refresh?
firewall-cmd --reload
success

firewall-cmd --permanent --zone work --list-rich-rules
rule family="ipv4" source address="0.0.0.0/0" port port="61613" protocol="tcp" log level="warning" accept
rule family="ipv4" source address="0.0.0.0/0" port port="10050" protocol="tcp" log level="warning" accept
rule family="ipv4" source address="0.0.0.0/0" port port="10000" protocol="tcp" log level="warning" accept
rule family="ipv4" source address="0.0.0.0/0" port port="8140" protocol="tcp" log level="warning" accept
rule family="ipv4" source address="0.0.0.0/0" port port="22" protocol="tcp" log level="warning" accept

According to docs - applying --set-log-denied should trigger a reload. Probably it doesn't.
Is it possible to do a manual reload after any state change for --set-log-denied?
like
firewall-cmd --set-log-denied=multicast && firewall-cmd --reload

[crayfishx]

@marcinbojko Thanks for that - it looks like you've got the same outcome - see the PR #156 this seems to work for me - I hate doing yet more firewalld reloads - but it looks like there is no other way

[marcinbojko]

Great!
Is it a good oportunity to say that your firewalld module saves my day everyday? :)