Re: [libvirt-users] The firewall just doesn't make any sense
Could *somebody* shed some light on how the firewall is supposed to
work? I haven't even managed to get trivial firewall rules to work. As
mentioned, the examples in the documentation generate completely
nonsensical rulesets, and if I try writing my own, they make even less
sense.
For example:
<filter name='test-eth0' chain='root'>
<rule action='drop' direction='in' priority='900'>
<all state='NEW'/>
</rule>
</filter>
Generates the following iptables rules: https://up.tao.at/u/DE7E2638.txt
...and will not filter anything.
<filter name='test-eth0' chain='root'>
<rule action='accept' direction='in' priority='500'>
<tcp srcipaddr='192.168.17.127' dstportstart='22'/>
</rule>
<rule action='drop' direction='in' priority='900'>
<all/>
</rule>
</filter>
Will filter port 22 as well. The generated iptables rules are as
following: https://up.tao.at/u/423CFFE9.txt
The *input* rules have the *source* address set as *destination*. Is
this a bug in libvirt/iptables?
--
Mit freundlichen Grüßen, / Best Regards,
Sven SCHWEDAS
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas(a)tao.at | +43 (0)680 301 7167
http://software.tao.at
Attachments:
- signature.asc (application/pgp-signature — 665 bytes)