Set the debug level for firewalld to level. The range of the debug level is 1 (lowest level) to 10 (highest level). The debug output will be written to the firewalld log file /var/log/firewalld.
You can turn on some limited firewall packet logging via firewalld’s Log Denied setting.
firewall-cmd --runtime-to-permanent firewall-cmd --set-log-denied=all
This setting will write a kernel packet-filter log entry to the kernel message facility for every packet that is blocked because the packet failed to match any rule.
You can view these messages via:
- the dmesg command
- with journalctl, the command journalctl -k command
- with rsyslogd, a tail of the following files: /var/log/kern.log or /var/log/messages.