-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I got no response regarding my first question, maybe my question is better placed in -security. So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To. Thanks, Johannes On 09.05.15 Johannes Kastl wrote:
Hi everyone,
as I happen to try this on my tumbleweed machine, I am asking on this list. But I think the basics apply to 13.{1,2} as well.
I know I can add 'special' iptables rules in /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like this:
FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22"
This would allow only the host 192.168.178.2 to reach the machine via ssh.
############################ Question: ############################ How do I add such a special rule when I want to open the port on the virtual interfaces that libvirt uses?
I have setup libvirt with a nat network, which uses virbr0. As soon as a VM is startet, another interface vnet0 appears. So basically I want to open a port on whichever of these two interfaces is the right one.
Assuming that INT, EXT and DMZ are used otherwise, I know I could create an additional zone (for each of the interfaces)
FW_ZONES="libvirt" FW_DEV_libvirt="vnet0" FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22"
I would also have to set FW_ROUTE to yes, otherwise the VM does not get a connection to the hosts network and no route to the whole wide world.
But: This does not work in my setup.
I restarted SuSEfirewall2 and libvirt services, rebooted the VM, but no, no open port.
If I stop SuSEfirewall2, then the port can be reached, i.e. the ssh service is not the problem.
Any hints? Is there something I'm missing? Some error in my thinking?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVU+W8ACgkQzi3gQ/xETbLIRACfe+RnhPKFZMUBb3mYu4lG2rZE 6/8An0Cjv3fttiiJu8odSGCd8uGn1rxL =OFVB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org