On 7/16/20 12:36 PM, Eric Garver wrote:
On Thu, Jul 16, 2020 at 10:48:11AM -0400, Gunnari Niels wrote:
>>> So what would be the recommended way to block traffic out of the vm but
>>> whitelist it's connection with another machine on the LAN? It sounds
>>> like I
>>> need to be writing rules that belong to the forward chain, but there
>>> isn't
>>> a way to do that with firewalld yet. Is this when a direct rule
>>> would be
>>> appropriate? And to which zone should it apply?
>>
>> You must use a direct rule. Direct rules are "global" in the sense
>> that they aren't applied to a zone. Often they occur _before_ all
>> zone rules.
Thanks to your advice and some fighting with libvirt I was able to
achieve the samba whitelist with these direct rules:
# Whitelist samba to file server
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p udp -s
192.168.100.0/24 -d 192.168.2.2 --dport 137 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p udp -s
192.168.100.0/24 -d 192.168.2.2 --dport 138 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p tcp -s
192.168.100.0/24 -d 192.168.2.2 --dport 139 -j ACCEPT
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p tcp -s
192.168.100.0/24 -d 192.168.2.2 --dport 445 -j ACCEPT
# Reject all other traffic
sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -s
192.168.100.0/24 -j REJECT
These runtime rules will *insert* the rules at the top of the chain, so
they short-circuit the LIBVIRT_{FWX,FWI,FWO} chains.
My problem now is that if I add them as permanent to persist them and
reload, my direct rules end up *appended* to the bottom of the FORWARD
table despite my priority setting. I gather the priority settings is
*relative to eachother*, and doesn't necessarily guarantee anything
about non-firewalld rules like the LIBVIRT chains. What ends up
happening is the LIBVIRT_X chains take precedence above mine. At the
bottom of LIBVIRT_FWO, its configured to accept traffic from the net
that I reject with my last direct rule...so my rule gets ignored.
What's the right way to ensure that my rules get loaded with precedence
over the LIBVIRT ones? Is it expected behavior that a runtime applied
direct rule is inserted, but a persistent rule gets appended to the
bottom of the chain?
- GN