[libvirt-users] The firewall just doesn't make any sense
Sven Schwedas
sven.schwedas at tao.at
Mon Jul 15 10:52:20 UTC 2013
Could *somebody* shed some light on how the firewall is supposed to
work? I haven't even managed to get trivial firewall rules to work. As
mentioned, the examples in the documentation generate completely
nonsensical rulesets, and if I try writing my own, they make even less
sense.
For example:
> <filter name='test-eth0' chain='root'>
> <rule action='drop' direction='in' priority='900'>
> <all state='NEW'/>
> </rule>
> </filter>
Generates the following iptables rules: https://up.tao.at/u/DE7E2638.txt
...and will not filter anything.
> <filter name='test-eth0' chain='root'>
> <rule action='accept' direction='in' priority='500'>
> <tcp srcipaddr='192.168.17.127' dstportstart='22'/>
> </rule>
> <rule action='drop' direction='in' priority='900'>
> <all/>
> </rule>
> </filter>
Will filter port 22 as well. The generated iptables rules are as
following: https://up.tao.at/u/423CFFE9.txt
The *input* rules have the *source* address set as *destination*. Is
this a bug in libvirt/iptables?
--
Mit freundlichen Grüßen, / Best Regards,
Sven SCHWEDAS
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20130715/00764e20/attachment.sig>
More information about the libvirt-users
mailing list