Just took the leap in to Fedora 18 from 17.
In Fedora 17, I simply added a custom rule in the old system-config-firewall to point to a file that had a trust of the libvirt based virbr0 interface.
The new system-config-firewall has me a bit confused....
I would like to keep the new firewalld and it's initial presumption that my em1 and wlan0 interfaces are in the "public" zone generally not allowing unsolicited inbound activity. This appears to be the default OOBE.
I would like to associate the virbr0 interface, created by libvirtd, to be considered part of the "internal" zone, since I "trust" my own VMs talking to the host. But, what is the "supportable" method for accomplishing this? There is no ifcfg- where I could put the firewall zone....
Thanks in advance,
--Rob
Hi Rob:
2013/1/28 Robert Locke lists@ralii.com
I would like to associate the virbr0 interface, created by libvirtd, to be considered part of the "internal" zone, since I "trust" my own VMs talking to the host. But, what is the "supportable" method for accomplishing this? There is no ifcfg- where I could put the firewall zone....
firewall-cmd [--zone=<zone>] --add-interface=<interface>
from https://fedoraproject.org/wiki/FirewallD#Generic_use
Greetings, -- Jorge Martínez López jorgeml@gmail.com http://www.jorgeml.net
On Mon, 2013-01-28 at 10:34 +0000, Jorge Martínez López wrote:
Hi Rob:
2013/1/28 Robert Locke lists@ralii.com
I would like to associate the virbr0 interface, created by libvirtd, to be considered part of the "internal" zone, since I "trust" my own VMs talking to the host. But, what is the "supportable" method for accomplishing this? There is no ifcfg- where I could put the firewall zone....
firewall-cmd [--zone=<zone>] --add-interface=<interface>
Thanks Jorge for this idea....
But, what I really could use is a "persistent" solution. I had already found the above documentation, but with each reboot I need to run it again (And, I know I could add it to rc.local, if that still exists, but I want a "supported" method). And "--permanent" doesn't seem to work yet for "--add-interface" but did cover my one service I needed to add to the internal zone.
Normally, there is a "ZONE=" that can be added to the ifcfg- files, but virbr0 doesn't have one of those, or, at least not where I have been able to find it....
This is why I think there is some enhancement to libvirtd with regard to firewalld that perhaps needs to be created, or I'm overlooking something?
--Rob