On Thu, Jul 16, 2020 at 07:53:19AM -0400, Gunnar Niels wrote:
>
> >I suspect I'm stumbling because I'm using libvirt NAT instead of a
> >bridged device (which
> >admitedly I don't fully understand). Dumping the nft ruleset, it looks
> like my
> >zone settings strictly affect the zone's input chain.
>
> Right. Firewalld does not yet support forward filtering. It's in the
> works [1], but not functional yet.
>
> [1]:
https://github.com/firewalld/firewalld/pull/639
...
>Are these considered FORWARDed packets, and therefore the INPUT chain
> >rules I've
> >actually written with my rich rule not apply? (They demonstrably are
> >not logging..)
>
> Correct.
>
So what would be the recommended way to block traffic out of the vm but
whitelist it's connection with another machine on the LAN? It sounds like I
need to be writing rules that belong to the forward chain, but there isn't
a way to do that with firewalld yet. Is this when a direct rule would be
appropriate? And to which zone should it apply?
You must use a direct rule. Direct rules are "global" in the sense that
they aren't applied to a zone. Often they occur _before_ all zone rules.