[Ovirt-devel] [PATCH node-image] configure IPv6 firewall
Alan Pevec
apevec at redhat.com
Wed May 27 17:13:46 UTC 2009
default is all ACCEPT
Signed-off-by: Alan Pevec <apevec at redhat.com>
---
common-post.ks | 24 ++++++++++++++++++++++++
1 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/common-post.ks b/common-post.ks
index 2734004..8a4940a 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -80,6 +80,30 @@ cat > /etc/sysconfig/iptables << \EOF
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
+# configure IPv6 firewall, default is all ACCEPT
+cat > /etc/sysconfig/ip6tables << \EOF
+# oVirt automatically generated firewall configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+# libvirt
+-A INPUT -p tcp --dport 16509 -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# anyterm
+-A INPUT -p tcp --dport 81 -j ACCEPT
+# guest consoles
+-A INPUT -p tcp -m multiport --dports 5800:6000 -j ACCEPT
+# migration
+-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
+EOF
# remove errors from /sbin/dhclient-script
DHSCRIPT=/sbin/dhclient-script
--
1.6.0.6
More information about the ovirt-devel
mailing list