Can someone provide the recipes for firewalling libvirt guests? I see talk about it but no clear answers how to correctly implement it.
I would like to be able to enable the following typical scenarios:
1. Guest restricted to connecting to existing vpn (privateinternetaccess.com) established by PIA app on a given branch. No in or out connections to LAN resources. No connections to other guests.
2. Direct connection to WAN via gateway. Bypasses VPN. No connections to LAN. No connections to other guests.
3. Guest connection to resources provided by VM host only.
I know this is a big ask, but I've been reading posts here & elsewhere and its a bit confusing.
Previously I had this kluged together through a series of iptables scripts but it was an awful hack and I'd like to do better this time.
This is on kubuntu 20.10 (firewalld 0.9.3, libvirt 7.6.0, QEMU 6.0.0), pretty close to stock setup.
I'm using --set-log-denied to see who is poking my system and for general
debugging. I divert the resulting log to its own rotated log file to avoid
cluttering other logs.
I note that a lot of entries are from my own LAN and are noisy broadcast
discovery programs that are looking for printers and other devices. I don't
want to open the port on my system, but I also don't want those packets
cluttering my logs. Is there a way, apart from a direct rule, to just eat
those packets with a silent DENY so they don't hit the log-deny rules?
Thanks for the informative replies. Apologies in advance, I'm more of a network user (cad/cam software developer) and not a network engineer. I hope this isn't a waste of your time.
First off, from what I've read from various sources (libvirt blogs mostly) gives me the impression that libvirt networking has in effect pulled back from network configuration due to problematic conflicts with NetworkManager, etc. Thus for example the more advanced network editing features were removed from virt-manager. Which is too bad, it looks like a lot of work was going into that. Going forward it seems guidance is to look to firewalld to tackle VM networking configuration / firewall issues. Is this correct?
Eric, I seem to be having a conceptual mental disconnect around firewalld zones which seem to be a somewhat abstract concept vs their implementation in traffic routing. I.e. I'm not clear on how to interface a libvirt VM with a zone. I'm confused about whether a zone is more of an abstraction that contains rules that effect iptables, etc when interfaces are created or does a zone create a network bridge device itself for example?
Do the commands you outline create a bridge device named libvirtToVpn that I can simply set a VM NIC device to 'bridge' and the bridge name to 'libvirtToVpn'? Is there a place where I can read up on this? I re-read the firewalld documentation introduction sections again tonight and it's just not clear. Sorry its been a 15 hour work day so far today.
Tonight I didn't get far running the commands you suggested. The second line resulted in this:
# firewall-cmd --permanent --policy libvirtToVpn --priority -100
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --priority -100
I'm assuming priority is a feature in v.1.0.0? I don't mind upgrading if the code is stable. I'm looking for the shortest path to a solution, am open to early-adoption as long as it's guidance towards a mainstream solution. I wonder what cloud hosts are doing today on LTS platforms, network scripts like I had hacked together before?
Thanks for your help & apologies for my confusion.
I am new to Linux.
I am using RHEL 8.4 and firewalld 0.8.2.
I want to upgrade to the latest version 1.0.1
I downloaded the .tz file but don’t know what to do to install it to upgrade my RHEL 8.4 install of firewalld.
Can anyone give me a list of commands to install Firewalld 1.0.1, please?