Debug firewalld

You can either add the –debug option to the firewalld args in the /etc/sysconfig/firewalld file or in the firewalld service file or you can start firewalld in a terminal after stopping the service.

The sysconfig file

This file does not exist in all distributions. In Fedora or RHEL based distributions it usable:

# firewalld command line args
# possible values: --debug

To enable the debugging mode, add --debug[=<level>] to FIREWALLD_ARGS. For a list of the supported debug levels, please have a look furter down.

The firewalld systemd service file

This is the firewalld systemd service file on Fedora for example:

$ cat /usr/lib/systemd/system/firewalld.service
Description=firewalld - dynamic firewall daemon
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service

ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS
ExecReload=/bin/kill -HUP $MAINPID
# supress to log debug and error output also to /var/log/messages


To enable debugging, you can add the --debug[=<level>] option to ExecStart. For a list of the supported debug levels, please have a look furter down.

Start in terminal

As user root you can start the firewall daemon in a termal for debugging:

# firewalld --nofork --debug

With the --nofork option the daemon is not doing a fork and stays in the foreground. It is possible to use another debug level with --debug[=<level>].

The debug levels

Different debug levels are supported here. The default is debug level 1 if –debug is added to the command line. Higher debug levels can be specified with –debug=. The higher the debug level the more output. The highest debug level is 10.

Debug level Output
1 Loading config files, D-Bus method calls
2 + Backend calls, D-Bus Introspect method calls, access checks
3 + Rules that are added by the backends
4 + Transaction steps
5 - 9 Currently unused
10 + Introspection XML data