On 03/11/2020 09:08 PM, Dmitry Konstantinov wrote:
firewalld is disabled. That's among the very first things I do on
servers. Search for 'virbr' and 'FORWARD' under /etc /usr /var
/opt (find /$path -type f -print0 | xargs -0 grep -i virbr) doesn't
return anything that might set up these rules.
Well, i've wrapped "iptables" and checked who calls it and it's libvirtd (if
firewalld is disabled).
Example:
1794 ? Ssl 0:00 /usr/sbin/libvirtd
2117 ? S 0:00 \_ /bin/bash /usr/sbin/iptables -w --table filter
--insert OUTPUT --out-interface virbr0 --protocol udp --destination-port 68
--jump ACCEPT
virbr0 - is managed by libvirtd, so the daemon configures its interface.
i'm not a libvirtd guru, so not sure where to check and correct configuration.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On Wed, 11 Mar 2020 17:22:03 +0300
Konstantin Khorenko <khore...@virtuozzo.com> wrote:
On 03/09/2020 04:12 PM, Dmitry Konstantinov wrote:
Hello,
I've noticed that after a fresh install I have few filtering rules
that I do not need and would like to get rid of:
[root@localhost ~]# iptables -n -L -v
Chain INPUT (policy ACCEPT 2353 packets, 161K bytes) pkts bytes
target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 1547 packets, 356K bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT udp -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
[root@localhost ~]#
I failed to find anything that adds these rules. Is it hardcoded? If
not, how do I disable them without writing a script to flush
iptables?
Hi,
i guess rules are created upon firewalld configuration.
> not, how do I disable them without writing a script to flush
> iptables?
may be just disable firewalld service.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
.
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users