log block ip addresses

[sdavi3840]

if you have an extensive list of untrustworthy IP addresses in your firewalld config, is there an easy way to tell that your rules are actually working?
For example, if I have a rule:-
**<rule family="ipv4"><source address="208.68.36.0/22" /><reject/></rule>**
how can I easily detect that an address that has been blocked by that rule has tried to breach my firewall?

As I see it, logging is OFF or you get everything and then you have to filter through possibly hundreds of thousand of logged events per day. A nice and easy way to prove that the rules that I put into the firewall actually work would be beneficial to me and many others I am sure.
One reason is that if an IP is repeatedly trying to breach the firewall, having a timestamped record of those attempts make it difficult to the IP owner to reject your abuse claims. I have had responses that suggest just reporting one breach attempt is not sufficuent for the hosting service to take action.

[erig0]

Rich rules also support logging. You can log and reject in the same rich rule.

e.g.

# firewall-cmd --add-rich-rule='rule family=ipv4 source address=208.68.36.0/22 log reject'

You can also limit the log.

e.g. only 5 logs per day

# firewall-cmd --add-rich-rule='rule family=ipv4 source address=208.68.36.0/22 log limit value=5/day reject'

[sdavi3840]

Thanks for that. This facility does not seem to be widely known.
I will give it a try and if it is ok, then I'll add it into my automation of the firewall rules.