
Hello, I'm trying to set up a nwfilter ruleset, where the client only should be able to answer to incoming requests and pings. The outbound traffic (LAN and Internet) shouldn't be working. I've gut the rules as mentioned below (I moved all filterref inside for debugging): <filter name='fwrule-test0' chain='root' priority='-700'> <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid> <rule action='accept' direction='out' priority='100'> <ip protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='101'> <ip protocol='udp' srcportstart='67' dstportstart='68'/> </rule> <rule action='accept' direction='out' priority='200'> <ip dstipaddr='10.16.136.6'/> </rule> <rule action='accept' direction='out' priority='200'> <ip dstipaddr='10.16.136.9'/> </rule> <rule action='accept' direction='in' priority='250'> <all/> </rule> <rule action='accept' direction='inout' priority='300'> <all state='ESTABLISHED,RELATED'/> </rule> <rule action='accept' direction='inout' priority='301'> <icmp/> </rule> <rule action='accept' direction='out' priority='400'> <udp dstportstart='53'/> </rule> <rule action='accept' direction='inout' priority='400'> <mac protocolid='arp'/> </rule> <rule action='drop' direction='out' priority='800'> <all/> </rule> </filter> When the guest already has a proper IP address, this seems to work on first sight, the client can't talk to the internet anymore, but is reachable for TCP and UDP requests. However, I can't get DHCP working. I'm using the integrated dnsmasq service for DHCP. It works again, when I remove the last DROP rule taking care of the rest. I looked inside tcpdump / Wireshark for the corresponding interface (virbr4). With the enabled DHCP port rules I can see that DHCP requests go out to 255.255.255.255. I also activated dnsmasq logging for the virbr4 instance. Here, I don't get any DHCP logs. Without the last DROP rule, I can see clients getting an IP address. I currently have no idea where to look "in between" as the dnsmasq is listening von virbr4. My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter 'allow-dhcp'. Am I missing here something? Thank you! Kai

On Fri, Aug 30, 2024 at 11:47:15AM +0200, Kai wrote:
Hello,
I'm trying to set up a nwfilter ruleset, where the client only should be able to answer to incoming requests and pings. The outbound traffic (LAN and Internet) shouldn't be working.
I've gut the rules as mentioned below (I moved all filterref inside for debugging): <filter name='fwrule-test0' chain='root' priority='-700'> <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid> <rule action='accept' direction='out' priority='100'> <ip protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='101'> <ip protocol='udp' srcportstart='67' dstportstart='68'/> </rule>
snip
</filter>
My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter 'allow-dhcp'. Am I missing here something?
You've got a subtle difference - the 'allow-dhcp' filter is adding rules to the 'ipv4' chain, while you're adding rules to the 'root' chain, which might make a difference. Rather than duplicating rules for port 67/68, you could just reference it: <filterref filter='allow-dhcp'/> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

I had the allow-dhcp rule included by filterref in previous tries. I tried to get an overview for testing into one file. From what I understood in the documentation, the root chain takes every rule and includes the chains like IPv4 to it. So bringing it into root is as not as efficient, because the IPv4 chain only concerns IPv4 packages, while the root chain takes every packet. Did I get this right? Without the drop rule, I can track the flow in Wireshark: 0.0.0.0 -> 255.255.255.255 UDP 68->67 Discover 10.16.136.9 -> 255.255.255.255 UDP UDP 67->68 Offer 0.0.0.0 -> 255.255.255.255 UDP 68->67 Request 10.16.136.9 -> 255.255.255.255 UDP UDP 67->68 ACK Couldn't see anything that shouldn't be captured by the 'allow-dhcp' rule. Am 30.08.24 um 12:20 schrieb Daniel P. Berrangé:
On Fri, Aug 30, 2024 at 11:47:15AM +0200, Kai wrote:
Hello,
I'm trying to set up a nwfilter ruleset, where the client only should be able to answer to incoming requests and pings. The outbound traffic (LAN and Internet) shouldn't be working.
I've gut the rules as mentioned below (I moved all filterref inside for debugging): <filter name='fwrule-test0' chain='root' priority='-700'> <uuid>89daa6f3-0300-439d-bbba-4d298b4420f2</uuid> <rule action='accept' direction='out' priority='100'> <ip protocol='udp' srcportstart='68' dstportstart='67'/> </rule> <rule action='accept' direction='in' priority='101'> <ip protocol='udp' srcportstart='67' dstportstart='68'/> </rule> snip
</filter> My expectation for DHCP was ports 67 <-> 68 to be open as in the nwfilter 'allow-dhcp'. Am I missing here something? You've got a subtle difference - the 'allow-dhcp' filter is adding rules to the 'ipv4' chain, while you're adding rules to the 'root' chain, which might make a difference.
Rather than duplicating rules for port 67/68, you could just reference it:
<filterref filter='allow-dhcp'/>
With regards, Daniel
participants (2)
-
Daniel P. Berrangé
-
Kai