Virsh Netfilter: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
Zeile 60: Zeile 60:
 
</filter>
 
</filter>
 
</pre>
 
</pre>
*irsh nwfilter-define filter-22-80.xml
+
=Define=
 +
*virsh nwfilter-define filter-22-80.xml
 
  Network filter filter-22-80 defined from filter-22-80.xml
 
  Network filter filter-22-80 defined from filter-22-80.xml

Version vom 17. Oktober 2017, 18:38 Uhr

List

  • virsh nwfilter-list
setlocale: No such file or directory
 UUID                                  Name
------------------------------------------------------------------
 3af26f25-7357-4fb9-83ea-07363e2554fc  allow-arp
 7fd44e20-45b8-49f4-9779-d88cd6159a07  allow-dhcp
 9eb598dc-096d-4e10-a675-a55fe51fa1db  allow-dhcp-server
 c42dabd6-08c2-4f7e-b0df-4e3152e6f6aa  allow-incoming-ipv4
 e94fc948-5c47-44b5-aba7-be23a0494377  allow-ipv4
 b11a440a-9008-4c52-9af8-7bde6e4531a4  clean-traffic
 3ea57df0-dc27-4f51-a18d-806ebf962d70  no-arp-ip-spoofing
 1824b813-d13d-4d36-9a85-b5bf28896382  no-arp-mac-spoofing
 4757f553-a221-4040-ab9a-d6cf32123103  no-arp-spoofing
 e8143908-9b86-4066-9b22-4821a11b6106  no-ip-multicast
 24f37081-67e9-4006-8267-63c3f4d7443f  no-ip-spoofing
 a804644c-5cd2-448f-8196-4e1b12ce0836  no-mac-broadcast
 8fbe4a42-13a7-4914-8459-c43ee1227bfe  no-mac-spoofing
 5a670d8e-2ed1-4339-8fdd-4345335ddc1b  no-other-l2-traffic
 daaf7518-13a8-4540-aada-5681ad440e71  no-other-rarp-traffic
 d217f2d7-5a04-0e01-8b98-ec2743436b74  no-spamming
 cb236f9e-e024-4e82-b167-8d0d5ab7529b  qemu-announce-self
 e365fce0-d793-42b7-92f6-801bf1f6b6ab  qemu-announce-self-rarp

filter-22-80.xml

<filter name='filter-22-80'>
  <!-- reference the clean traffic filter to prevent
       MAC, IP and ARP spoofing. By not providing
       and IP address parameter, libvirt will detect the
       IP address the VM is using. -->
  <filterref filter='clean-traffic'/>

  <!-- enable TCP ports 22 (ssh) and 80 (http) to be reachable -->
  <rule action='accept' direction='in'>
    <tcp dstportstart='22'/>
  </rule>

  <rule action='accept' direction='in'>
    <tcp dstportstart='80'/>
  </rule>

  <!-- enable general ICMP traffic to be initiated by the VM;
       this includes ping traffic -->
  <rule action='accept' direction='out'>
    <icmp/>
  </rule>

  <!-- enable outgoing DNS lookups using UDP -->
  <rule action='accept' direction='out'>
    <udp dstportstart='53'/>
  </rule>

  <!-- drop all other traffic -->
  <rule action='drop' direction='inout'>
    <all/>
  </rule>
</filter>

Define

  • virsh nwfilter-define filter-22-80.xml
Network filter filter-22-80 defined from filter-22-80.xml
Abgerufen von „http://wiki.ixheim.de/index.php?title=Virsh_Netfilter&oldid=14634