Re: Shorewall and libvirt

To: debian-user@lists.debian.org
Subject: Re: Shorewall and libvirt
From: john doe <johndoe65534@mail.com>
Date: Thu, 6 May 2021 09:49:29 +0200
Message-id: <[🔎] 202c581d-08b0-e876-23f8-7b9162e69ec6@mail.com>
In-reply-to: <[🔎] 20210505210315.0689c12f@jhegaala.localdomain>
References: <[🔎] 20210505210315.0689c12f@jhegaala.localdomain>

On 5/6/2021 5:03 AM, Charles Curley wrote:

For years, up through Buster, I have had a nice setup with virtual
machines on my laptops, with firewalling provided by shorewall and
rules I have added over the years. As I move from network to network,
the firewall is reconfigured, and the VMs continue to work. I also have
scripts that detect my home networks, and re-do the firewall for use on
the home network.

Now, with Bullseye, I seem to be hitting a brick wall. Something --
libvirt?? -- is mucking with my firewalling and breaking the virtual
internal networking.

What is the preferred way of running libvirt on a laptop? I do not
*have* to have shorewall, but would like some sort of firewall tool.


First you need to disable libvirt from playing with iptables, I changed
(virsh net-edit default) from:
  <forward mode='nat'/>

to:

  <forward mode='open'/>

Then you can use whatever firewalling solution you like (this is
documented in Libvirt's doc).


Remember that Bullseye as nftables per default, you might want to switch
back to iptables for Shorewall to work properly.

--
John Doe

Reply to:

Follow-Ups:
- Re: Shorewall and libvirt
  - From: Charles Curley <charlescurley@charlescurley.com>

References:
- Shorewall and libvirt
  - From: Charles Curley <charlescurley@charlescurley.com>

Prev by Date: URGENT..! Very annoying when UPDATE = debian.map.fastlydns.net
Next by Date: Re: URGENT..! Very annoying when UPDATE = debian.map.fastlydns.net
Previous by thread: Shorewall and libvirt
Next by thread: Re: Shorewall and libvirt
Index(es):
- Date
- Thread