On Friday, August 23, 2013 05:24:02 PM Mateusz Marzantowicz wrote: > I'd like to configure FirewallD to protect qemu/kvm host and maybe > guests but the second one is not so important for me because each guest > has it's own firewall. > > What I don't understand is how FirewallD works with network bridges. > Currently, I have bridge (br0) in trusted zone to allow as much traffic > as possible, and p3p1 (which is NIC connected to switch) in public zone. > When I put bridge in public zone I cut off networking from guests. > > My question is, should I change rules on bridge or p3p1 and what is the > correlation between them? What should I configure to pass networking > traffic to guests but protect all ports on host system? Take a look at http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging https://bugzilla.redhat.com/show_bug.cgi?id=512206 I believe the default now is to set the following to disable netfiltering traffic for the bridge: sysctl net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 Then your firewall only needs to consider p3p1. The hosts on the VM side of the bridge will need their own firewalls. -A -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Attachment:
signature.asc
Description: This is a digitally signed message part.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org