From cda9e8a2fbba8eb86d66892e67740f784195c868 Mon Sep 17 00:00:00 2001
From: AJ Jordan <alex@strugee.net>
Date: Thu, 29 Aug 2019 11:51:12 -0700
Subject: [PATCH] Add note about firewall logs for troubleshooting

Fixes QubesOS/qubes-issues#5270
---
 user/security-in-qubes/firewall.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/user/security-in-qubes/firewall.md b/user/security-in-qubes/firewall.md
index eb1b330c..05f50799 100644
--- a/user/security-in-qubes/firewall.md
+++ b/user/security-in-qubes/firewall.md
@@ -387,3 +387,9 @@ Where to put firewall rules
 Implicit in the above example [scripts](/doc/config-files/), but worth calling attention to: for all qubes *except* AppVMs supplying networking, iptables commands should be added to the `/rw/config/rc.local` script.
 For AppVMs supplying networking (`sys-firewall` inclusive), iptables commands should be added to `/rw/config/qubes-firewall-user-script`.
 
+Firewall troubleshooting
+------------------------
+
+Firewall logs are stored in the systemd journal of the qube the firewall is running in (probably `sys-firewall`).
+You can view them by running `sudo journalctl -u qubes-firewall.service` in the relevant qube.
+Sometimes these logs can contain useful information about errors that are preventing the firewall from behaving as you would expect.