On Fri, Aug 30, 2024 at 11:47:15AM +0200, Kai wrote: > Hello, > > I'm trying to set up a nwfilter ruleset, where the client only should be > able to answer to incoming requests and pings. The outbound traffic (LAN and > Internet) shouldn't be working. > > I've gut the rules as mentioned below (I moved all filterref inside for > debugging): > <filter name='fwrule-test0' chain='root' priority='-700'> > <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid> > <rule action='accept' direction='out' priority='100'> > <ip protocol='udp' srcportstart='68' dstportstart='67'/> > </rule> > <rule action='accept' direction='in' priority='101'> > <ip protocol='udp' srcportstart='67' dstportstart='68'/> > </rule> snip > </filter> > My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter > 'allow-dhcp'. > Am I missing here something? You've got a subtle difference - the 'allow-dhcp' filter is adding rules to the 'ipv4' chain, while you're adding rules to the 'root' chain, which might make a difference. Rather than duplicating rules for port 67/68, you could just reference it: <filterref filter='allow-dhcp'/> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
