similar to: C7 and firewalld and ethernet bridge

On 04/02/2016 05:20 PM, Laine Stump wrote: > You say they can talk among containers on the same host, and with their > own host (I guess you mean the virtual machine that is hosting the > containers), but not to containers on another host. Can the containers > communicate outside of the host at all? If not, perhaps the problem is > iptables rules for the bridge device the containers

--On Monday, March 21, 2016 08:57:59 AM -0700 Gordon Messmer <gordon.messmer at gmail.com> wrote: > On 03/20/2016 08:51 PM, Devin Reade wrote: >> In a CentOS 7 test HA cluster I'm building I want both traditional >> services running on the cluster and VMs running on both nodes > > On a purely subjective note: I think that's a bad design. One of the >

I'm looking for some information regarding the interaction of KVM, VLANs, firewalld, and the kernel's forwarding configuration. I would appreciate input especially from anyone already running a similar configuration in production. In short, I'm trying to figure out if a current configuration is inadvertently opening up traffic across network segments. On earlier versions of CentOS

The network-bridge script fails when setting a few sysctls which are only available if ebtables is present in the host kernel. Fix by ignoring the return value of the sysctl command. Signed-off-by: Avi Kivity <avi@qumranet.com> Index: xen/tools/examples/network-bridge =================================================================== --- xen/tools/examples/network-bridge (revision 991)

Being a fan of IPtables and dreading the eventual transition to Centos 7, I wondered if in C7's firewalld an interface can be assigned to a single zone or to multiple zones such as 'private' and 'trusted'. For example interface em1 having both trusted and public zones assigned to it. If multiple zones per interface are permitted presumably one can segregate traffic by IP range

Hi all, I order to reach maximum performance on my centos kvm hosts I have use these params: - On /etc/grub.conf: kernel /vmlinuz-2.6.18-164.11.1.el5 ro root=LABEL=/ elevator=deadline quiet - On sysctl.conf # Special network params net.core.rmem_default = 8388608 net.core.wmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216

Hello! Recently,I¡¯m doing a security project based upon ipv6.I have built up a bridge to support a transparent firewall.(my system is Fedora Core 2,kernel 2.6.5).In this system ,the version of the iptables is 1.2.7,which does not support ipv6(I have tried it).Thus,I download a new version and test it. The iptables functions in bridge mode,but the ipv6 doesn't work well.In the

Yesterday I noticed that I was not able to ping one of our development servers so I logged in via VNC and ran the Firewalld GUI. To my surprise, except for the interface definition for public and trusted zones, nothing seemed to be configured. That is, none of the services were checked off that we want open at the firewall. Also, this server is a gateway and masquerading and forwarding appears

Greetings, all: OS: CentOS 6.4 x86_64 Kernel: 2.6.32-358.14.1 I could use some assistance with setting up pulse to load balance my dns servers. I've configured tcp and udp port 53 with the piranha gui, set up arptable rules on the real servers and added the virtual ip to the bond0 interface on the real servers, but I'm still having no luck in getting things going. A dig against the

On 1/30/19 10:05 PM, Simon Matter via CentOS wrote: > Did you look at Shorewall? IMHO that's what is best used in such > situations and it works since many years now. shorewall doesn't support nftables, which is largely the point of firewalld:? The Linux firewall system is currently undergoing yet another deprecation and migration from iptables to nftables. firewalld should

On Thu, 31 Jan 2019 at 13:13, mark <m.roth at 5-cent.us> wrote: > Gordon Messmer wrote: > > On 1/30/19 10:05 PM, Simon Matter via CentOS wrote: > > > >> Did you look at Shorewall? IMHO that's what is best used in such > >> situations and it works since many years now. > > > > shorewall doesn't support nftables, which is largely the point

On 10/26/18, Andrew Pearce <andrew at andew.org.uk> wrote: > On 2018-10-26 16:25, mark wrote: > I believe this should remove any ipv6 rules (rules and chains) > > ip6tables -F > ip6tables -X You might want to clear the other tables, too: for x in filter nat mangle raw security "" do ip6tables ${x:+-t $x} -F ip6tables ${x:+-t $x} -X done > You may need to

Hi List, Are you really using firewalld and network-manager on Centos 7 production servers or old way disabling network manager and using pure iptables like on C6? -- Eero

I have a tricky problem. I''m going to use Augeas, like here http://projects.puppetlabs.com/projects/1/wiki/Puppet_Augeas#/etc/sysctl.conf to maintain sysctl.conf. However, since iptables is already disabled, when I add more lines to sysctl.conf with augeas and run sysctl -p, the following lines (which are already there) cause a failure. # Disable netfilter on bridges.

I just installed a host with CentOS-7-x86_64-Minimal-1511.iso It seems that firewalld is not included in the minimal set. I wonder why? If I recall correctly CentOS-7-x86_64-Minimal-1503-01.iso did include it. And, this could be a very stupid question, am I running without a firewall or just without a way to control my firewall? Thanks Patrick

Hello, I'm just wondering why I can't manage my network interfaces through libvirt when the following kernel parameters are turned on: net.bridge.bridge-nf-call-ip6tables net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-arptables Is it a bug or by design? If the latter, could someone explain me premises of such decision? I'm aware of security implications of mixing

Hi, again, folks, I'm trying to convert a number of iptables rules to firewalld rich rules. I need to do this, because this is, in fact, a firewall, to protect access to servers with sensitive data. It will limit access to the servers behind it to a specific network, and nobody else, and allow only certain services through. What I've been trying to find is a script/program that

Hi, I met a problem when using bridge with netfilter. The kernel version 2.4.20, and the patch is bridge-nf-0.0.10-against-2.4.20.diff. Our firewall configuration is as follows, eth3,eth4,eth5,eth6 configured as a bridge with an IP address 10.0.0.1. The local net connect to the internet via the gateway 10.0.0.1 and SNAT is applied on the firewall. It worked but sometimes there are some

Working on a script, and to test, I need to shut down ip6tables temporarily. firewalld is running; is there any way to shut down *just* ip6tables? I tried installinf iptables-services, and did a systemctl stop ip6tables, and no joy. mark

I'm having a few issues with firewalld on a CentOS 7 install, in particular when using systemctl to start/check the status of the daemon: Checking the firewalld daemon status ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: failed