On Sat, Jan 25, 2020 at 04:52:40PM +0100, Thomas Luening wrote: > Hello @ all > > The libvirt-daemon compromises the packet-filtering-rules at daemon-startup, > before any VM is started. To prevent this, I first have create a hook-script > which deletes existing rules, but apparently these rules are set after the > hook. Removing the defined networks was no solution either. Worst of all is, > a service restart of the daemon may even completely neutralize the firewall. Can you elaborate on which rules you think are compromising the firewall ? Libvirt will setup rules associated with virtual networks that are defined in libvirtd (ie the virbr0 device and similar). By default these rules are intended to setup outbound NAT access for things connected to that bridge device only. The only inbound rules allowed are for established NAT connections, and for access to the DHCP/DNS dnsmasq service from the bridge device. This shouldn't compromise/neutralize the host firewall. > Is there a solution to prevent this undesirable behavior? No matter how or > who what do or with what network configuration a VM is started, the daemon > must not compromise the firewall, by altering them. The Firewall is > untouchable and taboo. Assuming you're talking about the default network rules virsh net-destroy default Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
