On 24.08.2013 11:16, Anthony Messina wrote: > On Friday, August 23, 2013 05:24:02 PM Mateusz Marzantowicz wrote: >> I'd like to configure FirewallD to protect qemu/kvm host and maybe >> guests but the second one is not so important for me because each guest >> has it's own firewall. >> >> What I don't understand is how FirewallD works with network bridges. >> Currently, I have bridge (br0) in trusted zone to allow as much traffic >> as possible, and p3p1 (which is NIC connected to switch) in public zone. >> When I put bridge in public zone I cut off networking from guests. >> >> My question is, should I change rules on bridge or p3p1 and what is the >> correlation between them? What should I configure to pass networking >> traffic to guests but protect all ports on host system? > > Take a look at > > http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging > https://bugzilla.redhat.com/show_bug.cgi?id=512206 > > I believe the default now is to set the following to disable netfiltering > traffic for the bridge: > > sysctl > net.bridge.bridge-nf-call-ip6tables = 0 > net.bridge.bridge-nf-call-iptables = 0 > net.bridge.bridge-nf-call-arptables = 0 > > Then your firewall only needs to consider p3p1. The hosts on the VM side of > the bridge will need their own firewalls. -A > > > Thanks, now I understand what is going on there but I've encountered another problem. I've net.* entries in /etc/sysctl.conf that you mentioned above but they're not applied on system startup (or they're changes later by something - maybe firewalld?). I have to run sysctl manually. Mateusz Marzantowicz -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
