diff --git a/SOURCES/firewalld-0.4.3.2-fix_log_denied_rhbz#1402932.patch b/SOURCES/firewalld-0.4.3.2-fix_log_denied_rhbz#1402932.patch
new file mode 100644
index 0000000..7dee7aa
--- /dev/null
+++ b/SOURCES/firewalld-0.4.3.2-fix_log_denied_rhbz#1402932.patch
@@ -0,0 +1,29 @@
+commit 821f04205d505da14587896cf436cbab5dba4dd9
+Author: Thomas Woerner <twoerner@redhat.com>
+Date:   Fri Sep 16 16:11:53 2016 +0200
+
+    firewall.core.fw_zone: Fix LOG rule placement for LogDenied
+    
+    The LOG rule needs to be placed exactly before the DROP or REJECT rule and not
+    afterwards.
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index d72caa5..97596bc 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -325,13 +325,13 @@ class FirewallZone(object):
+                        chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
+                         if target in [ "REJECT", "%%REJECT%%" ]:
+                             transaction.add_rule(
+-                                ipv, [ "-I", _zone, "5", "-t", table,
++                                ipv, [ "-I", _zone, "4", "-t", table,
+                                        "%%LOGTYPE%%",
+                                        "-j", "LOG", "--log-prefix",
+                                        "\"%s_REJECT: \"" % _zone ])
+                         if target == "DROP":
+                             transaction.add_rule(
+-                                ipv, [ "-I", _zone, "5", "-t", table,
++                                ipv, [ "-I", _zone, "4", "-t", table,
+                                        "%%LOGTYPE%%",
+                                        "-j", "LOG", "--log-prefix",
+                                        "\"%s_DROP: \"" % _zone ])
diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec
index 1d68593..8ed92e5 100644
--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@@ -8,7 +8,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.4.3.2
-Release: 8.1%{?dist}
+Release: 8.1%{?dist}.2
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2
@@ -34,6 +34,7 @@ Patch19: firewalld-0.4.3.2-set_rules_copy_fix_rhbz#1373260.patch
 Patch20: firewalld-0.4.3.2-translation_update_rhbz#1273296.patch
 Patch21: firewalld-0.4.3.2-exclude_firewallctl_rhbz#1374799.patch
 Patch22: firewalld-0.4.3.2-no_blanked_zone_rhbz#1381314.patch
+Patch23: firewalld-0.4.3.2-fix_log_denied_rhbz#1402932.patch
 
 BuildArch: noarch
 BuildRequires: desktop-file-utils
@@ -166,6 +167,7 @@ firewalld.
 %patch20 -p1 -b .translation_update_rhbz#1273296
 %patch21 -p1 -b .exclude_firewallctl_rhbz#1374799
 %patch22 -p1 -b .no_blanked_zone_rhbz#1381314
+%patch23 -p1 -b .fix_log_denied_rhbz#1402932
 
 %if 0%{?with_python3}
 rm -rf %{py3dir}
@@ -354,6 +356,9 @@ fi
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Wed Feb  8 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.3.2-8.1.el7_3.2
+- Fix LOG rule placement for LogDenied (RHBZ#1402932, RHBZ#1421205)
+
 * Mon Jan  9 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.3.2-8.1
 - Fix ZONE being blanked in ifcfg on reboot (RHBZ#1410860, RHBZ#1381314)