Here's another time-saver that you're sure to like. If you want to create log entries whenever packets get blocked, just use the --set-log-denied option. Before we do that, let's see if it's already enabled:

[donnie@localhost ~]$ sudo firewall-cmd --get-log-denied
[sudo] password for donnie: 
off
[donnie@localhost ~]$

It's not, so let's turn it on and check the status again:

[donnie@localhost ~]$ sudo firewall-cmd --set-log-denied=all
success
[donnie@localhost ~]$ sudo firewall-cmd --get-log-denied
all
[donnie@localhost ~]$

We've set it up to log all denied packets. However, you might not always want that. Your other choices are as follows:

• unicast
• broadcast
• multicast

So, for example, if all you want is to log blocked packets that are going to multicast addresses, do the following:

[donnie@localhost ~]$ sudo firewall-cmd --set-log-denied=multicast
[sudo] password for donnie: 
success
[donnie@localhost ~]$ sudo firewall-cmd --get-log-denied
multicast
[donnie@localhost ~]$

So far, we've just set the runtime configuration, which will disappear once we reboot the machine. To make this permanent, we can use any of the methods that we've already used. For now, let's just do this:

[donnie@localhost ~]$ sudo firewall-cmd --runtime-to-permanent
success
[donnie@localhost ~]$

Unlike what we saw with the Debian/Ubuntu distros, there's no separate kern.log file for our packet-denied messages. Instead, the RHEL-type distros log the packet-denied messages in the /var/log/messages file, which is the main log file in the RHEL world. Several different message tags are already defined, which will make it easier to audit the logs for dropped packets. For example, here's a message that tells us about blocked broadcast packets:

Aug 20 14:57:21 localhost kernel: FINAL_REJECT: IN=enp0s3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1f:29:02:0d:5f:08:00 SRC=192.168.0.225 DST=255.255.255.255 LEN=140 TOS=0x00 PREC=0x00
 TTL=64 ID=62867 DF PROTO=UDP SPT=21327 DPT=21327 LEN=120

The tag is FINAL_REJECT, which tells us that this message was created by the catch-all, final REJECT rule that's at the end of our input chain. The DST=255.255.255.255 part tells us that this was a broadcast message.

Here's another example, where I did an Nmap NULL scan against this machine:

sudo nmap -sN 192.168.0.8

Aug 20 15:06:15 localhost kernel: STATE_INVALID_DROP: IN=enp0s3 OUT= MAC=08:00:27:10:66:1c:00:1f:29:02:0d:5f:08:00 SRC=192.168.0.225 DST=192.168.0.8 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=27451 PROTO=TCP SPT=46294 DPT=23 WINDOW=1024 RES=0x00 URGP=0

In this case, I triggered the rule that blocks INVALID packets, as indicated by the STATE_INVALID_DROP tag.

So, now you're saying, But wait. These two rules that we just tested aren't anywhere to be found in the firewalld configuration files that we've looked at so far. What gives? And you're right. The location of these default, pre-configured rules is something that the Red Hat folk apparently want to keep hidden from us. However, in the following sections that are specific to RHEL/CentOS 7 and RHEL/CentOS 8, we'll spoil their fun, because I can show you where these rules are.