> -----Original Message-----
> From: Mark McLoughlin [mailto:markmc at redhat.com]
> Sent: 16 November 2010 20:19
> To: Bailey, Darragh
> Cc: ilug at linux.ie> Subject: Re: [ILUG] libvirtd NAT iptable rules on fedora
>> Hi Darragh,
>
<snip>
> Yeah, the issue is that iptables has no mechanism by which libvirt can
> register its rules without overwriting user's custom rules.
Fedora 13 seems to have some hooks in place using system-config-firewall, that allows specifying of custom rule files to be included in the final iptables output. Avoids the need to go to a pure hand crafted iptables file, and still be able to use the system tools without risk of undoing the custom user rules. Took me a while to figure out how to use it properly, it's not well advertised, but I'm supprised that libvirtd doesn't take advantage of it. Perhaps it's just a question of time.
<snip>
> Funky, I hadn't seen that before. The idea is to prevent the guest to
> use source ports < 1024 so that NAT-ed guests can't access remote NFS
> mounts configured with the "secure" option which authorizes clients
> based on their source port.
>> See this patch and the bugzilla mentioned:
>>https://www.redhat.com/archives/libvir-list/2010-July/msg00219.html>> Cheers,
> Mark.
Ah, cheers, didn't not think of that. Still surprised that so many sources simply use these lines without any explaination as to their function.
--
Regards,
Darragh Bailey
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
