Thomas Luening
2020-Jan-25 15:52 UTC
Prevent the firewall from being compromised through libvirtd
Hello @ all The libvirt-daemon compromises the packet-filtering-rules at daemon-startup, before any VM is started. To prevent this, I first have create a hook-script which deletes existing rules, but apparently these rules are set after the hook. Removing the defined networks was no solution either. Worst of all is, a service restart of the daemon may even completely neutralize the firewall. Is there a solution to prevent this undesirable behavior? No matter how or who what do or with what network configuration a VM is started, the daemon must not compromise the firewall, by altering them. The Firewall is untouchable and taboo. What can I do to disable that? Thank you! Best Regards Tom $ dpkg -l libvirt-daemon ||/ Name Version Architektur Beschreibung +++-=========================-============-============-=================================ii libvirt-daemon 5.0.0-4 amd64 Virtualization daemon $ lsb_release -a Distributor ID: Debian Description: Debian GNU/Linux 10 (buster) Release: 10 Codename: buster
Daniel P. Berrangé
2020-Jan-27 09:42 UTC
Re: Prevent the firewall from being compromised through libvirtd
On Sat, Jan 25, 2020 at 04:52:40PM +0100, Thomas Luening wrote:> Hello @ all > > The libvirt-daemon compromises the packet-filtering-rules at daemon-startup, > before any VM is started. To prevent this, I first have create a hook-script > which deletes existing rules, but apparently these rules are set after the > hook. Removing the defined networks was no solution either. Worst of all is, > a service restart of the daemon may even completely neutralize the firewall.Can you elaborate on which rules you think are compromising the firewall ? Libvirt will setup rules associated with virtual networks that are defined in libvirtd (ie the virbr0 device and similar). By default these rules are intended to setup outbound NAT access for things connected to that bridge device only. The only inbound rules allowed are for established NAT connections, and for access to the DHCP/DNS dnsmasq service from the bridge device. This shouldn't compromise/neutralize the host firewall.> Is there a solution to prevent this undesirable behavior? No matter how or > who what do or with what network configuration a VM is started, the daemon > must not compromise the firewall, by altering them. The Firewall is > untouchable and taboo.Assuming you're talking about the default network rules virsh net-destroy default Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|