On Sat, Jan 25, 2020 at 04:52:40PM +0100, Thomas Luening wrote:
Hello @ all
The libvirt-daemon compromises the packet-filtering-rules at daemon-startup,
before any VM is started. To prevent this, I first have create a hook-script
which deletes existing rules, but apparently these rules are set after the
hook. Removing the defined networks was no solution either. Worst of all is,
a service restart of the daemon may even completely neutralize the firewall.
Can you elaborate on which rules you think are compromising the firewall ?
Libvirt will setup rules associated with virtual networks that are defined
in libvirtd (ie the virbr0 device and similar). By default these rules
are intended to setup outbound NAT access for things connected to that
bridge device only. The only inbound rules allowed are for established
NAT connections, and for access to the DHCP/DNS dnsmasq service from the
bridge device. This shouldn't compromise/neutralize the host firewall.
Is there a solution to prevent this undesirable behavior? No matter
how or
who what do or with what network configuration a VM is started, the daemon
must not compromise the firewall, by altering them. The Firewall is
untouchable and taboo.
Assuming you're talking about the default network rules
virsh net-destroy default
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|