How to combine the firewalls for libvirt and ufw correctly

allo

1/16/24, 7:19 PM

I am trying to use libvirt and ufw at the same host, but both of them insert a lot of firewall rules and own tables and they don't always play nice togethter.

The last problem I had was that ufw inserts its rules after libvirt. This worked fine as libvirt mostly has specific rules that only apply to its own interfaces and probably it is good when ufw does not interfere with the rules needed for libvirt. But in the FORWARD table, libvirt inserts a final REJECT rule in one of its tables breaking all "ufw route" rules as the libvirt table comes before the ufw table.

My current workaround is to manually change iptables, but I wanted to use ufw in the hope that it plays together with libvirt cleaner than manual rules, because loading rules, e.g., from netfilter-persistent could possibly remove the tables created automatically by libvirt. Using manual rules in addition to the two automated systems is, of course, the worst solution as there are now three places where rules are coming from.

What is the best-practice for iptables/nftables or possibly ufw on a libvirt host?

113

0 + 0

libvirt

ufw

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to combine the firewalls for libvirt and ufw correctly

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.