On Thu, Jun 25, 2020 at 10:55:45PM +0800, Ed Greshko wrote:
On 2020-06-25 22:21, Eric Garver wrote:
> On Thu, Jun 25, 2020 at 08:02:33AM +0800, Ed Greshko wrote:
>> On 2020-06-24 22:34, Eric Garver wrote:
>>> On Thu, Jun 18, 2020 at 05:47:21AM +0800, Ed Greshko wrote:
>>>> On 2020-06-18 04:32, Eric Garver wrote:
>>>> Even that wouldn't explain why, with the middle system 3 interfaces
being 192.168.122.1/192.168.1.18/192.168.2.127ÃâÃÂ I can't ssh to 192.168.1.142
from 2.116 with the FW up.
>>> The 192.168.1.0/24 network wasn't shown in your diagram. If it's
part of the "public" zone, then that makes sense. firewalld will block the
forwarded traffic. The next firewalld feature release has a new feature to allow intra
zone forwarding .
>> Yes, I didn't put that network in the diagram since it seemed to me
irrelevant to the initial problem/question.
>> I can see how the new feature would affect an ssh from .2.116 to .1.142 since
both enp2s0 and wlp4s0
>> are both in the public zone.
>> [egreshko@meimei ~]$ sudo firewall-cmd --get-active-zones
>> ÃÂ interfaces: virbr0
>> ÃÂ interfaces: enp2s0 wlp4s0
>> But, the original problem I'm trying to resolve is ssh (or any traffic) from
.2.116 toÃÂ .122.152 which would
>> be between the public and libvirt zones.
> Right. And we already diagnosed that. libvirt's rules are dropping the
> packets, not firewalld.
>>> Seems like you have two issues here:
>>> ÃÂ 1) libvirt's iptables rules are blocking public --> VM traffic
>>> ÃÂ ÃÂ ÃÂ - this must be addressed via libvirt
>> But, I get no log messages when I set --set-log-denied=all.ÃÂ Shouldn't
those be logged?
> No. Because firewalld is not the one dropping the packets here. libvirt
> is the one dropping. firewalld can't influence libvirt's rules.
Sorry, I must be missing something.Â When you say "libvirt's rules"
aren't they the rules of the libvirt zone?
They can't be "adjusted" with the usual firewall-cmd commands?
There are two things:
1) the libvirt zone
- these are managed through firewalld and visible in firewalld UIs
2) libvirt's iptables rules
- there are completely separate and independent from firewalld
- this is what's blocking the traffic to your VM
Also, wouldn't one expect the rules to be the same for IPv4 and
Hope the network diagram attachment
I don't recall what libvirt does for IPv6. But it's a different matter
because IPv6 likely is using NAT/masquerade.
Configured on the router are
Forward Port 22 from 18.104.22.168 to 192.168.122.152
Static route pointing 192.168.122.0/24 to 192.168.1.18
Static route pointing 2001:b030:112f:2::/64 to 2001:b030:112f::140e
From a host with IPs of 22.214.171.124 and 2001:470:67:cce::5 this works.
[egreshko@acer ~]$ ssh 2001:b030:112f:2::4
Last login: Thu Jun 25 22:15:30 2020 from 2001:470:66:cce::2
While this "hangs".Â (I think because ICMP may be blocked at some point.Â Too
late in my day to check)
[egreshko@acer ~]$ ssh 126.96.36.199
ssh: connect to host 188.8.131.52 port 22: Connection timed out
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines