To log events created by Shorewall in a custom file called “firewall.log” in /var/log directory first edit the /etc/shorewall/shorewall.conf file. Edit this line:

LOGFILE=/var/log/firewall.log

Actual logging is managed by rsyslog daemon. Create a new file called “firewall.conf” in /etc/rsyslog.d/ and add this:

:msg, contains, "Shorewall:" -/var/log/firewall.log
& ~

From new version of rsyslog (8.4.2, on Debian 9) use “stop” instead of tilda:

:msg, contains, "Shorewall:" -/var/log/firewall.log
& stop

Now restart rsyslog service and shorewall

Create the file /etc/logrotate.d/firewall and put this in it:

/var/log/firewall.log {
        rotate 4
        weekly
        missingok
        notifempty
        delaycompress
        compress
}

Don't forget to check if startup is enabled in /etc/default/shorewall[6]

• Debian 9,10

• Prevent programm from logging to daemon.log