On 2020-06-24 22:34, Eric Garver wrote:
On Thu, Jun 18, 2020 at 05:47:21AM +0800, Ed Greshko wrote:
> On 2020-06-18 04:32, Eric Garver wrote:
[..]
> Even that wouldn't explain why, with the middle system 3 interfaces being
192.168.122.1/192.168.1.18/192.168.2.127Â I can't ssh to 192.168.1.142 from 2.116
with the FW up.
The 192.168.1.0/24 network wasn't shown in your diagram. If it's part of the
"public" zone, then that makes sense. firewalld will block the forwarded
traffic. The next firewalld feature release has a new feature to allow intra zone
forwarding [1].
Yes, I didn't put that network in the diagram since it seemed to me irrelevant to the
initial problem/question.
I can see how the new feature would affect an ssh from .2.116 to .1.142 since both enp2s0
and wlp4s0
are both in the public zone.
[egreshko@meimei ~]$ sudo firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: enp2s0 wlp4s0
But, the original problem I'm trying to resolve is ssh (or any traffic) from .2.116
to .122.152 which would
be between the public and libvirt zones.
Is there a roadmap for the next release?
Seems like you have two issues here:
1) libvirt's iptables rules are blocking public --> VM traffic
- this must be addressed via libvirt
But, I get no log messages when I set --set-log-denied=all. Shouldn't those be
logged?
And, why did this all work prior to 6/5?