[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SuSEfirewall2 und libvirt/kvm

Hi Alexander,

Am 15.06.2016 um 12:13 schrieb Alexander Bergmann:
> Hi Christian,
> I didn't fully understand your setup, so let me repeat what it looks
> to me right now.
> VM: (fw0) \
>                             + (br0) <--> GW: <--> Internet?
> KVM-Host: (eth0)/
> Your gateway knows that is reachable inside the internal network
> and forwards all traffic to it. So if someone from the Internet sends a
> ping to it gets accepted from your gateway and routed.
Yes ... incoming traffic is no problem.

> On the other hand a ping from to the internet is not working,
> right? So obviously something gets blocked in your iptables setup.
Yes ... but what. The usual log of SuSEfirewall2 does not show the drops :(

> The reason why your ping to the outside world is working when you turn
> off and on the firewall of the KVM host is simple. The connection
> tracking is still in place and allows the forward of the ICMP packages
> after the firewall has started.
Ahh ... ok. Is this the called 'stateful' ?

> From my experience the best way to find out which rule is missing to
> accept the outgoing packages is by modifying the iptables rules
> manually. Just save the iptables-save output and edit it.
> #> iptables-save > firewall.tmp
> #> iptables-restore < firewall.tmp
Ahhh ... this I didn't know. Good idea to try :)

> Usually the OUTPUT policy is set to ACCEPT. So I'm a bit confused why
> the outgoing connection has problems.
> A simple way to analyse this issue is by adding some LOG rules to the
> end of your iptables setup.
> -A OUTPUT -s -p icmp -j LOG --log-prefix "TROUBLESHOOTING: "
OK ... will give it a try and see what it will show up ...

> After you identified which rule is missing you can do some
> SuSEfirewall2 modifications to add that rule.
Usually the 'physical' interfaces don't need to mentioned in
/etc/sysconfig/SuSEfirewall2. Do you agree ?


   - Please do not 'CC' me on list mails.
          Just reply to the list :)
Der ultimative shop für Sportbekleidung und Zubehör

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx