一,開啟除錯選項
1,官方文件地址:
https://firewalld.org/documentation/howto/debug-firewalld.html2, 編輯配置檔案:
[root@blog ~]# vi /etc/sysconfig/firewalld把FIREWALLD_ARGS=--debug=10 這一行取消註釋就可以
[root@blog ~]# more /etc/sysconfig/firewalld
# firewalld command line args
# possible values: --debug
FIREWALLD_ARGS=--debug=10
#FIREWALLD_ARGS=說明:註釋級別:如圖:
二,檢視日誌中的除錯資訊
日誌檔案位於 /var/log/firewalld
檢視檔案:
[root@blog ~]# tail -100 /var/log/firewalld內容例子:
2024-08-29 11:24:16 DEBUG2: config.Introspect()
2024-08-29 11:24:16 DEBUG2: config.Introspect()
2024-08-29 11:24:16 DEBUG2: config.Introspect()
2024-08-29 11:24:16 DEBUG1: zone.removeRichRule('drop', 'rule family="ipv4" source ipset="nginxcc" drop')
2024-08-29 11:24:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.execute(True)
2024-08-29 11:24:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.prepare(True, ...)
2024-08-29 11:24:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.prepare(True, ...)
2024-08-29 11:24:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.pre()
2024-08-29 11:24:16 DEBUG2: <class 'firewall.core.nftables.nftables'>: rule ref cnt 0, /usr/sbin/nft
delete rule inet firewalld filter_IN_drop_deny meta nfproto ipv4 ip saddr @nginxcc drop
2024-08-29 11:24:16 DEBUG2: <class 'firewall.core.nftables.nftables'>: /usr/sbin/nft delete rule inet firewalld
filter_IN_drop_deny handle 530
2024-08-29 11:24:16 DEBUG4: <class 'firewall.core.fw_transaction.FirewallZoneTransaction'>.post()
2024-08-29 11:24:16 DEBUG1: zone.RichRuleRemoved('drop', 'rule family="ipv4" source ipset="nginxcc" drop')說明:可以看到除錯資訊把nft對規則的操作記錄了下來