virtualization and firestarter

Charles Curley charlescurley at
Sat Oct 24 08:16:22 MDT 2009

On Wed, 16 Sep 2009 16:21:09 -0600
Charles Curley <charlescurley at> wrote:

> I use Ubuntu 9.04 and virt-manager-0.6.1-1ubuntu4--i386 to run
> virtual machines using kvm and ubuntu 9.10 alpha 5 and finix 93. I
> have both virtual machines running nicely, with one exception. If I
> have firestarter's firewall running, the VMs cannot get DHCP offers.
> I can run "dhclient eth0" manually, and see the dhcp discover packets
> logged to the console. If I then remove all the firewalling (ctl-p in
> the firestarter GUI), the VM immediately gets an offer. Internet
> connection sharing is enabled. I have tried adding a rule to admit
> packets on the two DHCP ports for network, but that
> has not worked.

I finally found out seredipitously what to do with this. In the process
of playing with a VPN setup, I came across this page,,
which refers to this page: The first
page shows what to do for both OpenVPN and VMware. I modified the lines
for the latter for KVM, on the virtualization host, as follows:

root at dzur:~# cat /etc/firestarter/user-pre
# Allow traffic on the OpenVPN interface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

# Allow virtual machine traffic
$IPT -A INPUT -i virbr+ -j ACCEPT
$IPT -A OUTPUT -o virbr+ -j ACCEPT
root at dzur:~# 

In a nice example of Linux documentation that speaks only to the
knowledgeable, neither writeup mentions that the file is read only. I
expect almost everyone on this list would know how to handle that.

Now to tighten up the virtual machines' firewalls.


Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB

More information about the PLUG mailing list