top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

FirewallD and network bridge to protect qemu/kvm

+1 vote

I'd like to configure FirewallD to protect qemu/kvm host and maybe guests but the second one is not so important for me because each guest has it's own firewall.

What I don't understand is how FirewallD works with network bridges. Currently, I have bridge (br0) in trusted zone to allow as much traffic as possible, and p3p1 (which is NIC connected to switch) in public zone. When I put bridge in public zone I cut off networking from guests.

My question is, should I change rules on bridge or p3p1 and what is the correlation between them? What should I configure to pass networking traffic to guests but protect all ports on host system?

posted Aug 23, 2013 by Naveena Garg

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

Take a look at

I believe the default now is to set the following to disable netfiltering traffic for the bridge:

 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

Then your firewall only needs to consider p3p1. The hosts on the VM side of the bridge will need their own firewalls.

answer Aug 24, 2013 by Garima Jain
Thanks, now I understand what is going on there but I've encountered another problem. I've net.* entries in /etc/sysctl.conf that you mentioned above but they're not applied on system startup (or they're changes later by something - maybe firewalld?). I have to run sysctl manually.
This may be because of the way systemd now handles sysctl.conf. On a fresh Fedora 19 install, my /etc/sysctl.conf reads:

# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/.conf file
# For more information, see sysctl.conf(5) and sysctl.d(5).

For me, I didn't need to do anything special, since has been the default for a while.
Similar Questions
0 votes

I have been looking at the new Fedora firewall 'firewalld' and the 'firewall-cmd' command. I'm currently running F17 on a PC with an F18 virtual machine, and have been trying to understand firewalld prior to
upgrading to Fedora 19.

The PC has a modified iptables. So I have been trying to see how to incorporate the changes into the new firewalld. I suspect I will need to use the 'firewall-cmd --direct' option to add the iptables rules (as I
see no other way of specifying on the rules source/destination addresses using 'firewall-cmd').

However, 'firewall-cmd' offers both the '--get-chains' and '--get-rules' options, but these both require specifying which table is to be used. How do I know what the tables are? There is no '--get-tables' option.
I can run 'cat /proc/net/ip_tables_names' and this lists the standard iptables tables (nat ,mangle, filter). But if I use these names with 'firweall-cmd' all I get is a blank line displayed. E.g.

 firewall-cmd --direct --get-chains ipv4 nat

The same occurs with all the table names.

So, my question is this, is 'firewall-cmd' working correctly and simply stating that none of the tables have any chains (and so no rules) Secondly, how do I find out what tables are defined for firewalld?

+1 vote

We always see failures after doing; systemctl stop firewald followed by systemctl start firewalld. To clear the issue we seem to have to reboot the system.

0 votes

I just did a clean net install of CentOS 6.4 and when I run virt-manager it says that qemu-kvm is missing, but when I try to install it with yum it says that there isn't a package with that name. Is something wrong with my configuration? Or what is causing this package to appear as not available?