On Wed, Jan 09, 2019 at 09:57:36PM -0500, Laine Stump wrote: > From: Laine Stump <laine@xxxxxxxxxx> [..] > diff --git a/src/network/libvirt.zone b/src/network/libvirt.zone > new file mode 100644 > index 0000000000..1750ba2f06 > --- /dev/null > +++ b/src/network/libvirt.zone > @@ -0,0 +1,14 @@ > +<?xml version="1.0" encoding="utf-8"?> > +<zone target="ACCEPT"> > + <short>libvirt</short> > + <description>The default policy of "ACCEPT" allows all packets to/from interfaces in the zone to be forwarded, while the (*low priority*) reject rule blocks any traffic destined for the host, except those services explicitly listed (that list can be modified as required by the local admin). This zone is intended to be used only by libvirt virtual networks - libvirt will add the bridge devices for all new virtual networks to this zone by default.</description> > + > +<rule priority='127'> The valid priority range is [-32768, 32767]. You may want to change this to 32767 to make sure it's the lowest precedence possible. Although, since libvirt completely controls this zone it won't matter unless libvirt or the user adds other rich rules. > + <reject/> > +</rule> > +<service name='dhcp'/> > +<service name='dhcpv6'/> > +<service name='dns'/> > +<service name='ssh'/> > +<service name='tftp'/> > +</zone> > -- > 2.20.1 > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
