Re: Setting up a restricted libvirt network with firewalld?

On 7/16/20 12:36 PM, Eric Garver wrote: Thanks to your advice and some fighting with libvirt I was able to achieve the samba whitelist with these direct rules: # Whitelist samba to file server sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p udp -s 192.168.100.0/24 -d 192.168.2.2 --dport 137 -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p udp -s 192.168.100.0/24 -d 192.168.2.2 --dport 138 -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p tcp -s 192.168.100.0/24 -d 192.168.2.2 --dport 139 -j ACCEPT sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p tcp -s 192.168.100.0/24 -d 192.168.2.2 --dport 445 -j ACCEPT # Reject all other traffic sudo firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -s 192.168.100.0/24 -j REJECT These runtime rules will *insert* the rules at the top of the chain, so they short-circuit the LIBVIRT_{FWX,FWI,FWO} chains. My problem now is that if I add them as permanent to persist them and reload, my direct rules end up *appended* to the bottom of the FORWARD table despite my priority setting. I gather the priority settings is *relative to eachother*, and doesn't necessarily guarantee anything about non-firewalld rules like the LIBVIRT chains. What ends up happening is the LIBVIRT_X chains take precedence above mine. At the bottom of LIBVIRT_FWO, its configured to accept traffic from the net that I reject with my last direct rule...so my rule gets ignored. What's the right way to ensure that my rules get loaded with precedence over the LIBVIRT ones? Is it expected behavior that a runtime applied direct rule is inserted, but a persistent rule gets appended to the bottom of the chain? - GN