Thanks for the informative replies. Apologies in advance, I'm more of a network user
(cad/cam software developer) and not a network engineer. I hope this isn't a waste of
your time.
First off, from what I've read from various sources (libvirt blogs mostly) gives me
the impression that libvirt networking has in effect pulled back from network
configuration due to problematic conflicts with NetworkManager, etc. Thus for example the
more advanced network editing features were removed from virt-manager. Which is too bad,
it looks like a lot of work was going into that. Going forward it seems guidance is to
look to firewalld to tackle VM networking configuration / firewall issues. Is this
correct?
Eric, I seem to be having a conceptual mental disconnect around firewalld zones which seem
to be a somewhat abstract concept vs their implementation in traffic routing. I.e.
I'm not clear on how to interface a libvirt VM with a zone. I'm confused about
whether a zone is more of an abstraction that contains rules that effect iptables, etc
when interfaces are created or does a zone create a network bridge device itself for
example?
Do the commands you outline create a bridge device named libvirtToVpn that I can simply
set a VM NIC device to 'bridge' and the bridge name to 'libvirtToVpn'? Is
there a place where I can read up on this? I re-read the firewalld documentation
introduction sections again tonight and it's just not clear. Sorry its been a 15 hour
work day so far today.
Tonight I didn't get far running the commands you suggested. The second line resulted
in this:
# firewall-cmd --permanent --policy libvirtToVpn --priority -100
usage: see firewall-cmd man page
firewall-cmd: error: unrecognized arguments: --priority -100
firewall-cmd --version
0.9.3
I'm assuming priority is a feature in v.1.0.0? I don't mind upgrading if the code
is stable. I'm looking for the shortest path to a solution, am open to early-adoption
as long as it's guidance towards a mainstream solution. I wonder what cloud hosts are
doing today on LTS platforms, network scripts like I had hacked together before?
Thanks for your help & apologies for my confusion.
Show replies by thread