[opensuse-factory] SuSEFirewall2, libvirtd and opening ports with restrictions
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, as I happen to try this on my tumbleweed machine, I am asking on this list. But I think the basics apply to 13.{1,2} as well. I know I can add 'special' iptables rules in /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like this:
FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22"
This would allow only the host 192.168.178.2 to reach the machine via ssh. ############################ Question: ############################ How do I add such a special rule when I want to open the port on the virtual interfaces that libvirt uses? I have setup libvirt with a nat network, which uses virbr0. As soon as a VM is startet, another interface vnet0 appears. So basically I want to open a port on whichever of these two interfaces is the right one. Assuming that INT, EXT and DMZ are used otherwise, I know I could create an additional zone (for each of the interfaces)
FW_ZONES="libvirt" FW_DEV_libvirt="vnet0" FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22"
I would also have to set FW_ROUTE to yes, otherwise the VM does not get a connection to the hosts network and no route to the whole wide world. But: This does not work in my setup. I restarted SuSEfirewall2 and libvirt services, rebooted the VM, but no, no open port. If I stop SuSEfirewall2, then the port can be reached, i.e. the ssh service is not the problem. Any hints? Is there something I'm missing? Some error in my thinking? ############################ Related question: ############################ Also, is there a way to re-add the libvirt firewall rules when SuSEfirewall2 is restarted/reloaded? Thanks in advance! Johannes -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVOEWMACgkQzi3gQ/xETbKxpQCfTJyGZp3mEe8/zhVzON5rOTE5 S+kAnA6NmtZXXUlsKB9E5tsr4yJlH4Nm =m23+ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 05/09/2015 09:53 AM, Johannes Kastl wrote:
############################ Related question: ############################ Also, is there a way to re-add the libvirt firewall rules when SuSEfirewall2 is restarted/reloaded?
Thanks in advance!
Johannes
Restarting libvirtd should do the trick. IIRC the rules are added when the service starts. - -- Regards, Uzair Shamim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVTresAAoJEM66EOTZRH6+l9wP/2HBUsT92UvIrN5ky7768ooC 85CW2W9QJFPe/yv/blVp6THbTaohHscIvmy6dMAgM18KRSk7QcQwqo/StGYHnQa5 9ZQVb8wRxC1wRB4xm7ZGqOGdks+KYSpMaD/TbhmSQ/n3yVrzfU4jNrxkCpJOOZmy y2kdgaD6Rde2d990fOPCyF4iBpZwx4QigV7qEhqvkNuViqsmFexuJ5FkxvdoEgF5 DHOMGSlQzagpHF70Ns/I1rqSXQpTmkyk+aUD7EwCQlfjTkUNM003w1tdrWOWX+sl rMtkb1YAyBXLrizCVbQO4jG/siItWG+wma9XSycLeB/uA6K7/Ec5KeG9pU/ufZ+k E05voJ1hCFfxbk9V6oGvPVd6gQ6Hhx1rkw6efy8T/rkg3AoMtPd5fmnp1XVif6AS aou+jkf+h4lhGg3U2lBxJ1BNnQXeBunVKtkOVy42hdd0eatU8fxbt1YkP1pZOcQm a5tEswILG6HGVLqP3fTyqnw6cdoGHXucOL3s+v7JAl+qy82kzuVusO9TH4RDNVg6 aV0JfLr+zCdtr6UUAZQJmmsmAs1+nqUTR17KcovXRL+5QMBxOlh4hkh0fJojN+rR LatNTIjuKZQESumk+W7viuUBIb09dFcDgqo8MwSD2TVBnDMAk7ai5f+CD0SZA2t1 XJ7+7jkyFx0YWvlTnZTk =Xq+w -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10.05.2015 Uzair Shamim wrote:
Restarting libvirtd should do the trick. IIRC the rules are added when the service starts.
That is how I do it at the moment. But I was hoping there would be a way to tell the firewall service, that if it restarts it should load the rules from this or that file, or to tell libvirtd to reload its firewall rules. Some kind of automagic triggering, so I do not have to remember to do it manually... Johannes
On Sun, 2015-05-10 at 09:32 +0200, Johannes Kastl wrote:
On 10.05.2015 Uzair Shamim wrote:
Restarting libvirtd should do the trick. IIRC the rules are added when the service starts.
That is how I do it at the moment. But I was hoping there would be a way to tell the firewall service, that if it restarts it should load the rules from this or that file, or to tell libvirtd to reload its firewall rules.
Some kind of automagic triggering, so I do not have to remember to do it manually...
libvirtd doesn't know about SuSEfirewall2, but adds / removes iptables on the fly. I didn't get what you exactly want... We surely can get libvirt fixed if there is something that needs to be done. Otherwise you can have a look at libvirt hooks (not sure it really does what you want): http://libvirt.org/hooks.html -- Cedric -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11.05.15 Cedric Bosdonnat wrote:
libvirtd doesn't know about SuSEfirewall2, but adds / removes iptables on the fly.
I didn't get what you exactly want...
And restarting Susefirewall2 erases them all. If by design or cos of a bug I do not know. So I'd propose some kind of trigger or hook, that tells libvirt to add iptables, each time Susefirewall2 is restarted. Or a drop-in file, that Susefirewall2 uses when restarting. Kind of a custom rul file.
We surely can get libvirt fixed if there is something that needs to be done. Otherwise you can have a look at libvirt hooks (not sure it really does what you want):
I would have thought we either need some kind of drop-in file that libvirt places somewhere Susefirewall2 reads it or a way that Susefirewall2 can tell libvirt to reload its rules. Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVQ/Y4ACgkQzi3gQ/xETbIUbACaAoLZLnez6yYe/H8vKJ3GzDzg kecAn2Yf1SiN+nS2uA14TazwXop9DqqS =tLZB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-11 21:05, Johannes Kastl wrote:
I would have thought we either need some kind of drop-in file that libvirt places somewhere Susefirewall2 reads it or a way that Susefirewall2 can tell libvirt to reload its rules.
Have a look at /etc/sysconfig/scripts/SuSEfirewall2-custom I don't know if that is what you want, but maybe similar. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVROzAACgkQja8UbcUWM1x3MwD6Ag5Dyx0dK8DD5DD4sqQIf23R hTBo5Q9u7Iehaii5rocBAJJKt23nKbMzYSkhu59bIvt+XOItSjT253z8IJJDCrmq =KAOW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12.05.15 Carlos E. R. wrote:
On 2015-05-11 21:05, Johannes Kastl wrote:
I would have thought we either need some kind of drop-in file that libvirt places somewhere Susefirewall2 reads it or a way that Susefirewall2 can tell libvirt to reload its rules.
Have a look at /etc/sysconfig/scripts/SuSEfirewall2-custom
That was the example I had in mind.
I don't know if that is what you want, but maybe similar.
I know I can trigger custom rules with this file, but I have no idea how to use it with libvirtd? Can libvirtd put its rules in a file like that, which is then used within SuseFirewall2? That would be something for the developers, I fear. I can test and try to support, but I am lacking knowledge of both libvirtd and Susefirewall2-interna... Regards, Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVSO0EACgkQzi3gQ/xETbLp3gCgm2WdJ/6STpxqj7mTHOqcXDtt kJUAnRAaPqvRA6okp/PO0KjGktv/kwV0 =U0Uv -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-12 19:41, Johannes Kastl wrote:
I know I can trigger custom rules with this file, but I have no idea how to use it with libvirtd? Can libvirtd put its rules in a file like that, which is then used within SuseFirewall2?
I don't know... - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVT6zMACgkQja8UbcUWM1xiQAD/d1Wc3wcpqMFFPstzWo1NICWx WhMY7DAjKa6ifprMGckBAI+Rfhop6V2CbX4bNVwPwbjeH/mnspnAs39bkS4nuMEA =9uwZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, May 14, 2015 at 02:24:19AM +0200, Carlos E. R. wrote:
On 2015-05-12 19:41, Johannes Kastl wrote:
I know I can trigger custom rules with this file, but I have no idea how to use it with libvirtd? Can libvirtd put its rules in a file like that, which is then used within SuseFirewall2?
I don't know...
Well basically yes. It depends on what rules they use :/ I currently have no time to try it out myself, sorry. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I got no response regarding my first question, maybe my question is better placed in -security. So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To. Thanks, Johannes On 09.05.15 Johannes Kastl wrote:
Hi everyone,
as I happen to try this on my tumbleweed machine, I am asking on this list. But I think the basics apply to 13.{1,2} as well.
I know I can add 'special' iptables rules in /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like this:
FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22"
This would allow only the host 192.168.178.2 to reach the machine via ssh.
############################ Question: ############################ How do I add such a special rule when I want to open the port on the virtual interfaces that libvirt uses?
I have setup libvirt with a nat network, which uses virbr0. As soon as a VM is startet, another interface vnet0 appears. So basically I want to open a port on whichever of these two interfaces is the right one.
Assuming that INT, EXT and DMZ are used otherwise, I know I could create an additional zone (for each of the interfaces)
FW_ZONES="libvirt" FW_DEV_libvirt="vnet0" FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22"
I would also have to set FW_ROUTE to yes, otherwise the VM does not get a connection to the hosts network and no route to the whole wide world.
But: This does not work in my setup.
I restarted SuSEfirewall2 and libvirt services, rebooted the VM, but no, no open port.
If I stop SuSEfirewall2, then the port can be reached, i.e. the ssh service is not the problem.
Any hints? Is there something I'm missing? Some error in my thinking?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVU+W8ACgkQzi3gQ/xETbLIRACfe+RnhPKFZMUBb3mYu4lG2rZE 6/8An0Cjv3fttiiJu8odSGCd8uGn1rxL =OFVB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-14 21:37, Johannes Kastl wrote:
As I got no response regarding my first question, maybe my question is better placed in -security.
So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To.
No, it did not arrive on -security. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVVP78ACgkQja8UbcUWM1zIawEAmKyvcAbZz4m72ZgoXmMhsMRr iuvcSLbb2c2ElnetKBEA/j6dayEdUnSx+44s5fRB1bnFUi/WLWZo+xzr6wWFzRUt =BACK -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 15/05/15 10:37, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2015-05-14 21:37, Johannes Kastl wrote:
As I got no response regarding my first question, maybe my question is better placed in -security.
So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To. No, it did not arrive on -security.
Yes it is sitting in Security - I just read that message. BC -- Using openSUSE 13.2, KDE 4.14.6 & kernel 4.0.3-1 on a system with- AMD FX 8-core 3.6/4.2GHz processor 16GB PC14900/1866MHz Quad Channel RAM Gigabyte AMD3+ m/board; Gigabyte nVidia GTX660 GPU -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2015-05-16 03:49, Basil Chupin wrote:
On 15/05/15 10:37, Carlos E. R. wrote:
No, it did not arrive on -security.
Yes it is sitting in Security - I just read that message.
It is another one. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16.05.15 Carlos E. R. wrote:
On 2015-05-16 03:49, Basil Chupin wrote:
Yes it is sitting in Security - I just read that message.
It is another one.
Sorry for the trouble. The first one arrived in -security on gmane, but was not forwarded to -security, so I resent it. Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVW0K4ACgkQzi3gQ/xETbKE0QCePB6bumFCzJlYXvG6lPQfX7bV rUMAnjwTxfMf3RnfNgOeDb8eOzganeQk =Zhgn -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-16 07:08, Johannes Kastl wrote:
On 16.05.15 Carlos E. R. wrote:
On 2015-05-16 03:49, Basil Chupin wrote:
Yes it is sitting in Security - I just read that message.
It is another one.
Sorry for the trouble. The first one arrived in -security on gmane, but was not forwarded to -security, so I resent it.
No trouble :-) I just mentioned that it did not arrive in case you wouldn't notice. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVXXmUACgkQja8UbcUWM1zm9QD8DkMwjmdtghpC6ItQ1OtwK+iC dmJdjkJeP8Do7FeOPj0A/RRI4unJnTQbUVaOO0wZqgAnC1I8aTfC88JMVbBJOEtI =5g1I -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, May 16, 2015 at 05:12:37PM +0200, Carlos E. R. wrote:
On 2015-05-16 07:08, Johannes Kastl wrote:
On 16.05.15 Carlos E. R. wrote:
On 2015-05-16 03:49, Basil Chupin wrote:
Yes it is sitting in Security - I just read that message.
It is another one.
Sorry for the trouble. The first one arrived in -security on gmane, but was not forwarded to -security, so I resent it.
No trouble :-)
I just mentioned that it did not arrive in case you wouldn't notice.
I am mostly reading -factory too, but my time is currently limited for SUSEfirewall2 work. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (6)
-
Basil Chupin -
Carlos E. R. -
Cedric Bosdonnat -
Johannes Kastl -
Marcus Meissner -
Uzair Shamim