I have a CentOS 7 server in a LAN together with Windows machines.
I have switched on logging in iptables of "to-be-rejected" or "to-be-dropped" packets using
firewall-cmd --set-log-denied=all
This adds the appropriate iptables logging rules. For example, at the end of the FORWARD chain:
LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
However, now the kernel log (or rather the journal) logs lots of packets from the assorted Windows machines getting rejected, more precisely NetBIOS broadcasts (UDP to port 137 and 138 on the subnet broadcast address) that no service on the Linux box is interested in.
I want to just drop these packets without further ado even before they are logged.
FINAL_REJECT: IN=ens160 OUT= MAC=ff:ff:ff:ff:ff:ff:XX:XX:XX:XX:XX:XX:08:00 SRC=10.10.2.74 DST=10.10.2.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=32306 PROTO=UDP SPT=137 DPT=137 LEN=58
What is the firewall-cmd to do this properly?
Rather than logging every dropped packet, you can configure firewalld not to log broadcast or multicast packets such as the one you've given as an example in your question.
To do this, use
--set-log-denied=unicast.Now the logs will only contain denied traffic that was directed toward your host.
From the man page: