[fedora-virt] bridge network with iptables running on host?
Gene Czarcinski
gene at czarc.net
Wed Sep 2 17:03:29 UTC 2009
On Wednesday 02 September 2009 12:20:47 Mark McLoughlin wrote:
> On Wed, 2009-09-02 at 11:45 -0400, Gene Czarcinski wrote:
> > Just what is and is not filtered? Is nothing filtered on the host.
>
> Not sure I understand all your questions, but with
> bridge-nf-call-iptables = 1 the iptables FORWARD filter chain is applied
> to all frames forwarded across bridges.
That does not completely answer my question.
As far as any guests using the br0 interface goes, I want no filtering ... the
guest is assumed to provide any filtering or other protections desired.
However, as far as the hosts on which the guests run, that is a different
matter. My host(s) run other functions as well as qemu-kvm guests and I would
prefer that "standard" filtering of host network I/O be performed. Now, as a
matter of fact, I am not that worried about filtering on any host (real or
guest) which is connected to my local LAN since they all reside behind a
firewall with access to the big-eye Internet.
Nevertheless, for those who DO have a host directly connected to the Internet,
it would be "nice to know" if any filtering is being performed in the host.
I suppose I am going to have to set up some tests and see if I can figure out
what happens.
Gene
More information about the virt
mailing list