Virsh Netfilter: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Thomas (Diskussion | Beiträge) (Die Seite wurde neu angelegt: „=List= *virsh nwfilter-list <pre> setlocale: No such file or directory UUID Name --------------------------------------------…“) |
Thomas (Diskussion | Beiträge) (→List) |
||
| Zeile 23: | Zeile 23: | ||
cb236f9e-e024-4e82-b167-8d0d5ab7529b qemu-announce-self | cb236f9e-e024-4e82-b167-8d0d5ab7529b qemu-announce-self | ||
e365fce0-d793-42b7-92f6-801bf1f6b6ab qemu-announce-self-rarp | e365fce0-d793-42b7-92f6-801bf1f6b6ab qemu-announce-self-rarp | ||
| + | </pre> | ||
| + | |||
| + | =filter-22-80= | ||
| + | <pre> | ||
| + | <filter name='filter-22-80'> | ||
| + | <!-- reference the clean traffic filter to prevent | ||
| + | MAC, IP and ARP spoofing. By not providing | ||
| + | and IP address parameter, libvirt will detect the | ||
| + | IP address the VM is using. --> | ||
| + | <filterref filter='clean-traffic'/> | ||
| + | |||
| + | <!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable --> | ||
| + | <rule action='accept' direction='in'> | ||
| + | <tcp dstportstart='22'/> | ||
| + | </rule> | ||
| + | |||
| + | <rule action='accept' direction='in'> | ||
| + | <tcp dstportstart='80'/> | ||
| + | </rule> | ||
| + | |||
| + | <!-- enable general ICMP traffic to be initiated by the VM; | ||
| + | this includes ping traffic --> | ||
| + | <rule action='accept' direction='out'> | ||
| + | <icmp/> | ||
| + | </rule> | ||
| + | |||
| + | <!-- enable outgoing DNS lookups using UDP --> | ||
| + | <rule action='accept' direction='out'> | ||
| + | <udp dstportstart='53'/> | ||
| + | </rule> | ||
| + | |||
| + | <!-- drop all other traffic --> | ||
| + | <rule action='drop' direction='inout'> | ||
| + | <all/> | ||
| + | </rule> | ||
| + | </filter> | ||
</pre> | </pre> | ||
Version vom 17. Oktober 2017, 18:36 Uhr
List
- virsh nwfilter-list
setlocale: No such file or directory UUID Name ------------------------------------------------------------------ 3af26f25-7357-4fb9-83ea-07363e2554fc allow-arp 7fd44e20-45b8-49f4-9779-d88cd6159a07 allow-dhcp 9eb598dc-096d-4e10-a675-a55fe51fa1db allow-dhcp-server c42dabd6-08c2-4f7e-b0df-4e3152e6f6aa allow-incoming-ipv4 e94fc948-5c47-44b5-aba7-be23a0494377 allow-ipv4 b11a440a-9008-4c52-9af8-7bde6e4531a4 clean-traffic 3ea57df0-dc27-4f51-a18d-806ebf962d70 no-arp-ip-spoofing 1824b813-d13d-4d36-9a85-b5bf28896382 no-arp-mac-spoofing 4757f553-a221-4040-ab9a-d6cf32123103 no-arp-spoofing e8143908-9b86-4066-9b22-4821a11b6106 no-ip-multicast 24f37081-67e9-4006-8267-63c3f4d7443f no-ip-spoofing a804644c-5cd2-448f-8196-4e1b12ce0836 no-mac-broadcast 8fbe4a42-13a7-4914-8459-c43ee1227bfe no-mac-spoofing 5a670d8e-2ed1-4339-8fdd-4345335ddc1b no-other-l2-traffic daaf7518-13a8-4540-aada-5681ad440e71 no-other-rarp-traffic d217f2d7-5a04-0e01-8b98-ec2743436b74 no-spamming cb236f9e-e024-4e82-b167-8d0d5ab7529b qemu-announce-self e365fce0-d793-42b7-92f6-801bf1f6b6ab qemu-announce-self-rarp
filter-22-80
<filter name='filter-22-80'>
<!-- reference the clean traffic filter to prevent
MAC, IP and ARP spoofing. By not providing
and IP address parameter, libvirt will detect the
IP address the VM is using. -->
<filterref filter='clean-traffic'/>
<!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable -->
<rule action='accept' direction='in'>
<tcp dstportstart='22'/>
</rule>
<rule action='accept' direction='in'>
<tcp dstportstart='80'/>
</rule>
<!-- enable general ICMP traffic to be initiated by the VM;
this includes ping traffic -->
<rule action='accept' direction='out'>
<icmp/>
</rule>
<!-- enable outgoing DNS lookups using UDP -->
<rule action='accept' direction='out'>
<udp dstportstart='53'/>
</rule>
<!-- drop all other traffic -->
<rule action='drop' direction='inout'>
<all/>
</rule>
</filter>