Displaying 20 results from an estimated 30000 matches similar to: "nwfilter example for security"
2017 May 08
3
Re: nwfilter and address of network ip address
On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
>On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
>> On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
>>
>> > Hi,
>> >
>> > I am running a webserver on the libvirt host and would like to add a
>> > nwfilter such that a VM can access that
2018 Mar 30
2
Re: Possible to edit/apply nwfilter at runtime?
On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote:
> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote:
>> I'm trying to determine if it's possible to edit/attach/apply nwfilter
>> rules
>> at runtime? I.e., after a VM is already running, can I apply a
>> nwfilter to
>> the VM and have it work without rebooting the machine? Thus far, I've
2019 May 06
2
disable libvirt-nwfilter
Hi,
i want to disable the nwfilter functionality of libvirt.
It's surely nice for some people, nevertheless i don't want libvirt to
alter any netfilter rules, neither i want the according functionality
even available.
I know about nwfilter-undefine, but what i'm looking for is an option to
globally disable this functionality at all. Some config flag or similar.
How can i achieve
2012 Nov 07
1
NWFilter and IPv6
Hi,
Libvirt's nwfilter ships a number of useful filter scripts by default, but
none to handle IPv6 traffic. Is there a particular reason for that, or is that
just because nobody has got around to that yet?
One interesting thing about dealing with IPv6 traffic is that hosts often have
several auto-configured addresses, usually at least one auto-configured link-
local address under
2018 Feb 16
3
Possible to edit/apply nwfilter at runtime?
I'm trying to determine if it's possible to edit/attach/apply nwfilter
rules at runtime? I.e., after a VM is already running, can I apply a
nwfilter to the VM and have it work without rebooting the machine? Thus
far, I've not come across a way to do so, but I thought I'd ask here
before I chase my tail around Google.
Thanks!
--
Andre Goree
-=-=-=-=-=-
Email - andre at
2017 May 07
3
Re: nwfilter and address of network ip address
On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
> Hi,
>
> I am running a webserver on the libvirt host and would like to add a
> nwfilter such that a VM can access that server. The corresponding iptables
> rule would look like this:
>
> iptables --append INPUT --in-interface virbr0 --destination 192.168.122.1
> --protocol tcp --dport 80
2018 Feb 16
1
Re: Possible to edit/apply nwfilter at runtime?
On 2018/02/16 12:12 pm, Daniel P. Berrangé wrote:
> On Fri, Feb 16, 2018 at 11:59:42AM -0500, Andre Goree wrote:
>> I'm trying to determine if it's possible to edit/attach/apply nwfilter
>> rules
>> at runtime? I.e., after a VM is already running, can I apply a
>> nwfilter to
>> the VM and have it work without rebooting the machine? Thus far, I've
2014 Mar 26
1
Recreating nwfilter rules without a restart
Let's say I have some iptables rules defined to restrict guest traffic.
If I restart the hosts firewall 'service iptables restart', all the
guest-specific rules get blown away.
Is there a way to reapply all the guest firewall rules, without
restarting each individual guest?
It looks like if I edit a nwfilter with `virsh nwfilter-edit` it goes
and reapplies the rules to all the
2014 May 28
3
Re: nwfilter usage
On 05/27/2014 02:46 AM, Brian Rak wrote:
> Make sure you have:
>
> /proc/sys/net/bridge/bridge-nf-call-iptables = 1
That doesn't make sense. bridge-nf-call-iptables controls whether or not
traffic going across a Linux host bridge device will be sent through
iptables, but the rules created by nwfilter are applied to the "vnetX"
tap devices that connect the guest to the
2016 Feb 08
2
Re: Networking with qemu/kvm+libvirt
On 01/11/2016 3:05 pm, Laine Stump wrote:
> On 01/11/2016 02:25 PM, Andre Goree wrote:
>>
>> I have some questions regarding the way that networking is handled via
>> qemu/kvm+libvirt -- my apologies in advance if this is not the proper
>> mailing list for such a question.
>>
>>
>> I am trying to determine how exactly I can manipulate traffic from
2020 Nov 11
2
DNS forwarding for guest domains on isolated network
Hi @all,
I'm having trouble to realize my use case and hope somebody could help me.
# Use case
For a home lab I want to deploy several guest domains. These domains
must not have a direct or NAT connection to the internet or my LAN. They
should only be able to reach my LAN and the internet through a proxy.
# What I've done
I've created the following virtual switch in isolated
2018 Mar 29
1
nwfilter multiple IPs
I'm trying to apply a nwfilter rule for two networks on the same guest
interface, like so:
~ # virsh nwfilter-dumpxml 1081532-private-both
<filter name='1081532-private-both' chain='root'>
<uuid>16004b94-2b62-4568-9467-169908eb4040</uuid>
<rule action='accept' direction='in' priority='500'>
<ip
2020 Jan 01
2
Passing multiple addresses with masks to nwfilter
Hello,
I have a nwfilter that I'm using to ensure that libvirt domains can't spoof
IPv6 traffic. It looks like this:
<filter name='no-ipv6-spoofing' chain='ipv6-ip' priority='-710'>
<rule action='return' direction='out' priority='500'>
<ipv6 srcipaddr='$IPV6' srcipmask='$IPV6MASK'/>
</rule>
2013 Mar 25
1
Host modifications
Hello,
I test libvirt 0.9.12 on Debian.
I am disappointed by changes made on my host without any notice.
Examples:
- editing interfaces with virsh or virt-manager modifies my
/etc/network/interfaces. It's not clear at first glance that I can even
cut myself from the host when editing remotely. The initial file is not
even saved.
- starting default network (nat) adds rules in
2013 Apr 23
1
Lack of ebtables rules when using nwfilters
Hi
I am using libvirt (0.9.12) with openstack and xen. It looks like libvirt
is not creating ebtables rules against arp spoofing etc. Here are my
configs:
VM definition:
<domain type='xen'>
<uuid>d49b777f-32f1-4093-ae47-a12efd0efd2c</uuid>
<name>instance-00000168</name>
<memory>2097152</memory>
<os>
2018 May 17
1
libvirt and libvirt-daemon-xen: failing dependencies
Hi all,
I'm trying to install libvirt for xen on a brand new, minimal
installation of CentOS 7.5.1804. After installing the OS, I did a 'yum
update' and followed the basic how-tos at
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart
and
https://wiki.centos.org/HowTos/Xen/Xen4QuickStart/Xen4Libvirt
From previous experience, I know that the above steps worked fine.
However,
2015 May 01
1
libvirt nwfilter
To take advantage of the filters, is it as simple as adding these couple
of lines in a guest's xml file like the example from
https://libvirt.org/formatnwfilter.html#nwfconcepts ?
<devices>
<interface type='bridge'>
<mac address='00:16:3e:5d:c7:9e'/>
<filterref filter='clean-traffic'>
<parameter name='IP'
2013 Jul 08
6
Getting nwfilter to work on Debian Wheezy
Hi,
I'm trying to configure nwfilter for KVM, but so far I haven't managed
to figure out a working configuration.
Network setup: The dom0 (Debian 7.1, kernel 3.2.46-1, libvirt 0.9.12) is
connected via eth0, part of the external subnet 192.168.17.0/24, and has
an additional subnet 192.168.128.160/28 routed to its main address
192.168.17.125.
The host's subnet is configured as bridge
2018 Dec 23
2
Upgrade to CentOS 7.6 with centos-xen-48 enabled
Hi all,
I'm unable to upgrade my Dom-0 from CentOS 7.5 to CentOS 7.6 with the
sigvirt
centos-xen-48 repository enabled and Xen components enabled.
It breaks down to down to the fact that 7.6 has a newer version of libvirt
included (4.5), while the Xen repository's packages are build against 4.1
version of libvirt.
I also tried to enable the libvirt-latest repository, but that does not
2017 May 08
0
Re: nwfilter and address of network ip address
On Mon, May 08, 2017 at 11:30:46AM -0400, Nicolas Bock wrote:
> On Mon, May 08, 2017 at 03:35:19PM +0100, Daniel P. Berrange wrote:
> > On Sat, May 06, 2017 at 08:09:49PM -0400, Dan wrote:
> > > On Fri, May 5, 2017 at 4:29 PM, Nicolas Bock <nicolasbock@gmail.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > I am running a webserver