Could *somebody* shed some light on how the firewall is supposed to work? I haven't even managed to get trivial firewall rules to work. As mentioned, the examples in the documentation generate completely nonsensical rulesets, and if I try writing my own, they make even less sense. For example:
<filter name='test-eth0' chain='root'> <rule action='drop' direction='in' priority='900'> <all state='NEW'/> </rule> </filter>
Generates the following iptables rules: https://up.tao.at/u/DE7E2638.txt ...and will not filter anything.
<filter name='test-eth0' chain='root'> <rule action='accept' direction='in' priority='500'> <tcp srcipaddr='192.168.17.127' dstportstart='22'/> </rule> <rule action='drop' direction='in' priority='900'> <all/> </rule> </filter>
Will filter port 22 as well. The generated iptables rules are as following: https://up.tao.at/u/423CFFE9.txt The *input* rules have the *source* address set as *destination*. Is this a bug in libvirt/iptables? -- Mit freundlichen Grüßen, / Best Regards, Sven SCHWEDAS Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167 http://software.tao.at