virtualization and firestarter

Charles Curley charlescurley at charlescurley.com
Sat Oct 24 08:16:22 MDT 2009


On Wed, 16 Sep 2009 16:21:09 -0600
Charles Curley <charlescurley at charlescurley.com> wrote:

> I use Ubuntu 9.04 and virt-manager-0.6.1-1ubuntu4--i386 to run
> virtual machines using kvm and ubuntu 9.10 alpha 5 and finix 93. I
> have both virtual machines running nicely, with one exception. If I
> have firestarter's firewall running, the VMs cannot get DHCP offers.
> I can run "dhclient eth0" manually, and see the dhcp discover packets
> logged to the console. If I then remove all the firewalling (ctl-p in
> the firestarter GUI), the VM immediately gets an offer. Internet
> connection sharing is enabled. I have tried adding a rule to admit
> packets on the two DHCP ports for network 255.255.255.0/24, but that
> has not worked.


I finally found out seredipitously what to do with this. In the process
of playing with a VPN setup, I came across this page,
http://www.massivegeek.com/technology/linux/firestarter-and-openvpn-vmware,
which refers to this page:
http://ignore-your.tv/2006/08/03/openvpn-and-firestarter/ The first
page shows what to do for both OpenVPN and VMware. I modified the lines
for the latter for KVM, on the virtualization host, as follows:

root at dzur:~# cat /etc/firestarter/user-pre
# Allow traffic on the OpenVPN interface
$IPT -A INPUT -i tun+ -j ACCEPT
$IPT -A OUTPUT -o tun+ -j ACCEPT

# Allow virtual machine traffic
$IPT -A INPUT -i virbr+ -j ACCEPT
$IPT -A OUTPUT -o virbr+ -j ACCEPT
root at dzur:~# 

In a nice example of Linux documentation that speaks only to the
knowledgeable, neither writeup mentions that the file is read only. I
expect almost everyone on this list would know how to handle that.
Almost.

Now to tighten up the virtual machines' firewalls.

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB



More information about the PLUG mailing list