[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Prevent the firewall from being compromised through libvirtd

On Sat, Jan 25, 2020 at 04:52:40PM +0100, Thomas Luening wrote:
> Hello @ all
> The libvirt-daemon compromises the packet-filtering-rules at daemon-startup,
> before any VM is started. To prevent this, I first have create a hook-script
> which deletes existing rules, but apparently these rules are set after the
> hook. Removing the defined networks was no solution either. Worst of all is,
> a service restart of the daemon may even completely neutralize the firewall.

Can you elaborate on which rules you think are compromising the firewall ?
Libvirt will setup rules associated with virtual networks that are defined
in libvirtd (ie the virbr0 device and similar). By default these rules
are intended to setup outbound NAT access for things connected to that
bridge device only. The only inbound rules allowed are for established
NAT connections, and for access to the DHCP/DNS dnsmasq service from the
bridge device. This shouldn't compromise/neutralize the host firewall.

> Is there a solution to prevent this undesirable behavior? No matter how or
> who what do or with what  network configuration a VM is started, the daemon
> must not compromise the firewall, by altering them. The Firewall is
> untouchable and taboo.

Assuming you're talking about the default network rules

  virsh net-destroy default
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]