[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SuSEfirewall2 und libvirt/kvm



Hi Alexander,

Am 15.06.2016 um 12:13 schrieb Alexander Bergmann:
> Hi Christian,
> 
> I didn't fully understand your setup, so let me repeat what it looks
> to me right now.
> 
> VM:       5.6.7.8/32 (fw0) \
>                             + (br0) <--> GW: 1.2.3.254 <--> Internet?
> KVM-Host: 1.2.3.4/24 (eth0)/
> 
> Your gateway knows that 5.6.7.8 is reachable inside the internal network
> and forwards all traffic to it. So if someone from the Internet sends a
> ping to 5.6.7.8 it gets accepted from your gateway and routed.
Yes ... incoming traffic is no problem.


> 
> On the other hand a ping from 5.6.7.8 to the internet is not working,
> right? So obviously something gets blocked in your iptables setup.
Yes ... but what. The usual log of SuSEfirewall2 does not show the drops :(

> 
> The reason why your ping to the outside world is working when you turn
> off and on the firewall of the KVM host is simple. The connection
> tracking is still in place and allows the forward of the ICMP packages
> after the firewall has started.
Ahh ... ok. Is this the called 'stateful' ?

> 
> From my experience the best way to find out which rule is missing to
> accept the outgoing packages is by modifying the iptables rules
> manually. Just save the iptables-save output and edit it.
> 
> #> iptables-save > firewall.tmp
> 
> #> iptables-restore < firewall.tmp
Ahhh ... this I didn't know. Good idea to try :)


> 
> Usually the OUTPUT policy is set to ACCEPT. So I'm a bit confused why
> the outgoing connection has problems.
> 
> A simple way to analyse this issue is by adding some LOG rules to the
> end of your iptables setup.
> 
> -A OUTPUT -s 5.6.7.8/32 -p icmp -j LOG --log-prefix "TROUBLESHOOTING: "
OK ... will give it a try and see what it will show up ...

> 
> After you identified which rule is missing you can do some
> SuSEfirewall2 modifications to add that rule.
Usually the 'physical' interfaces don't need to mentioned in
/etc/sysconfig/SuSEfirewall2. Do you agree ?


-- 

Christian
----------------------------------------------------
   - Please do not 'CC' me on list mails.
          Just reply to the list :)
----------------------------------------------------
Der ultimative shop für Sportbekleidung und Zubehör

http://www.sc24.de
----------------------------------------------------
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx