On Fri, Aug 30, 2024 at 11:47:15AM +0200, Kai wrote:
Hello,
I'm trying to set up a nwfilter ruleset, where the client only should be able to answer to incoming requests and pings. The outbound traffic (LAN and Internet) shouldn't be working.
I've gut the rules as mentioned below (I moved all filterref inside for debugging): <filter name='fwrule-test0' chain='root' priority='-700'> <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid> <rule action='accept' direction='out' priority='100'> <ip protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='101'> <ip protocol='udp' srcportstart='67' dstportstart='68'/> </rule>
snip
</filter>
My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter 'allow-dhcp'. Am I missing here something?
You've got a subtle difference - the 'allow-dhcp' filter is adding rules to the 'ipv4' chain, while you're adding rules to the 'root' chain, which might make a difference. Rather than duplicating rules for port 67/68, you could just reference it: <filterref filter='allow-dhcp'/> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|