On 2020-06-24 22:34, Eric Garver wrote:
On Thu, Jun 18,
2020 at 05:47:21AM +0800, Ed Greshko wrote:
On 2020-06-18 04:32, Eric Garver wrote:
[..]
Even that wouldn't explain why, with the
middle system 3 interfaces being
192.168.122.1/192.168.1.18/192.168.2.127Â I can't ssh to
192.168.1.142 from 2.116 with the FW up.
The 192.168.1.0/24 network wasn't shown in your diagram. If it's
part of the "public" zone, then that makes sense. firewalld will
block the forwarded traffic. The next firewalld feature release
has a new feature to allow intra zone forwarding [1].
Yes, I didn't put that network in the diagram since it seemed to me
irrelevant to the initial problem/question.
I can see how the new feature would affect an ssh from .2.116 to
.1.142 since both enp2s0 and wlp4s0
are both in the public zone.
[egreshko@meimei ~]$ sudo firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: enp2s0 wlp4s0
But, the original problem I'm trying to resolve is ssh (or any
traffic) from .2.116 to .122.152 which would
be between the public and libvirt zones.
[1]: https://firewalld.org/2020/04/intra-zone-forwarding
Is there a roadmap for the next release?
Seems like you have two issues here:
1) libvirt's iptables rules are blocking public --> VM traffic
- this must be addressed via libvirt
But, I get no log messages when I set --set-log-denied=all.
Shouldn't those be logged?
And, why did this all work prior to 6/5?