Okay, some more fiddling: If I try the second filterset from the second example from the documentation ( http://libvirt.org/formatnwfilter.html#nwfwriteexample2nd ), the resulting firewall rules make even less sense. To quote, what it should do:
opens only TCP ports 22 and 80 of a VM's interface allows the VM to send ping traffic from an interface but not let the VM be pinged on the interface allows the VM to do DNS lookups (UDP towards port 53) enable an ftp server (in active mode) to be run inside the VM
What it does: Opens all incoming ports Allows the VM to be pinged Blocks all outgoing traffic (except ICMP, but I suspect that's only because ICMP filtering does not work at all, see above) Prevents an ftp server from running in active mode This is bullshit. How do I get the nwfilter firewall to run properly? -- Mit freundlichen Grüßen, / Best Regards, Sven SCHWEDAS Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas@tao.at | +43 (0)680 301 7167 http://software.tao.at