Fedora 19/20: Fix loading of sysctl parameters (net.bridge.bridge-nf-call-*) for network bridge

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 25.08.2013 11:11, Mateusz Marzantowicz wrote:

Subject: Fedora 19: FirewallD and network bridge
https://lists.fedoraproject.org/pipermail/users/2013-August/440142.html

> On 24.08.2013 11:16, Anthony Messina wrote:
> > On Friday, August 23, 2013 05:24:02 PM Mateusz Marzantowicz wrote:
> >> I'd like to configure FirewallD to protect qemu/kvm host and maybe
> >> guests but the second one is not so important for me because each
guest
> >> has it's own firewall.
> >>
> >> What I don't understand is how FirewallD works with network bridges.
> >> Currently, I have bridge (br0) in trusted zone to allow as much
traffic
> >> as possible, and p3p1 (which is NIC connected to switch) in public
zone.
> >> When I put bridge in public zone I cut off networking from guests.
> >>
> >> My question is, should I change rules on bridge or p3p1 and what is
the
> >> correlation between them? What should I configure to pass networking
> >> traffic to guests but protect all ports on host system?
> >
> > Take a look at
> >
> > http://wiki.libvirt.org/page/Networking#Fedora.2FRHEL_Bridging
> > https://bugzilla.redhat.com/show_bug.cgi?id=512206
> >
> > I believe the default now is to set the following to disable
netfiltering
> > traffic for the bridge:
> >
> > sysctl
> >  net.bridge.bridge-nf-call-ip6tables = 0
> >  net.bridge.bridge-nf-call-iptables = 0
> >  net.bridge.bridge-nf-call-arptables = 0
> >
> > Then your firewall only needs to consider p3p1.  The hosts on the VM
side of
> > the bridge will need their own firewalls.  -A
>
> Thanks, now I understand what is going on there but I've encountered
> another problem. I've net.* entries in /etc/sysctl.conf that you
> mentioned above but they're not applied on system startup (or they're
> changes later by something - maybe firewalld?). I have to run sysctl
> manually.
>
> Mateusz Marzantowicz

Hi, I had the same problem but was able to resolve it using the
info in this bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=634736

Either of the methods in Comment 12 (force early load of bridge module) and
in Comments 19+23 (udev rule to reload the bridge-specific parameters
upon loading the bridge kernel module) works for me.

- Fredy Neeser

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux