You are not logged in.
- Topics: Active | Unanswered
#1 2024-12-24 06:18:12
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
[SOLVED](G)UFW rules for QEMU VMs
I've been trying to get internet to work in QEMU, I use Ufw through Gufw and I need help in specifying the correct rules in opening the right ports and stuff to give internet access(I'm not good with firewalls),
I've tried
ufw allow in on vibro0 from any to anybut that didn't work, another fix was setting the
firewall backend=iptables in /etc/libvrt/network.conf(it didn't work)But I'm also not sure if I want to do that either, seeing that iptables is old and superseded by `nft` and both qemu and ufw supporting `nftables` anyway.
Thank you for your inputs.
Last edited by Erwin Iosef (2024-12-30 08:15:16)
Offline
#2 2024-12-28 10:53:39
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,574
Re: [SOLVED](G)UFW rules for QEMU VMs
How/with what commands are you starting the VMs ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#3 2024-12-29 09:33:41
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
Hey! I just use virt-manager. I never used commands for it, the issue only appeared when I started enabling my firewall through gufw and setting it to home profile.
EDIT: Here's my ufw rulelist:
$ sudo ufw verbose
[sudo] password for admin2:
Status: active
To Action From
-- ------ ----
1714:1764/tcp ALLOW Anywhere
1714:1764/udp ALLOW Anywhere
22 ALLOW Anywhere
1714:1764/tcp (v6) ALLOW Anywhere (v6)
1714:1764/udp (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6) Pretty sure it's a ufw rule problem. Setting incoming to allow has the VM be able to use internet. But that defeats the point of a home firewall when every incoming connection is set to allow.
Last edited by Erwin Iosef (2024-12-29 10:19:14)
Offline
#4 2024-12-29 11:23:19
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,574
Re: [SOLVED](G)UFW rules for QEMU VMs
virt-manager is a frontend for libvirt which uses nftables / iptables rules to manage network for guests, see https://wiki.archlinux.org/title/Libvirt#Networking .
The rules libvirt sets likely clash with the ones you set in ufw .
Please post the outputs of
$ ip a
$ ip r
$ ip -6 rfor the host and 1 guest .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#5 2024-12-29 11:54:49
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED](G)UFW rules for QEMU VMs
UFW supposedly can use iptables or nftables as a backend firewall, so you should be consistent and use iptables or nftables in both. I only use iptables, and libvirt in the default NAT network adds the necessary chains and rules to forward traffic, so you might not need to worry about it.
The problem may arise if UFW loads its rules after libvirt loads its own. A good reference to understand libvirt networking is NAT-based network
Restart the computer again and show us the output of the following commands so we can help you:
iptables -nvL --line-numbers
iptables -nvL --line-numbers -t natOffline
#6 2024-12-29 13:07:26
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
@macromal
$ sudo iptables -nvL --line-numbers
Chain INPUT (policy DROP 623 packets, 34172 bytes)
num pkts bytes target prot opt in out source destination
1 52862 60M ufw-before-logging-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
2 52862 60M ufw-before-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 1170 71955 ufw-after-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
4 1164 69473 ufw-after-logging-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
5 1164 69473 ufw-reject-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
6 1160 69205 ufw-track-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 7765 12M ufw-before-logging-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
2 7765 12M ufw-before-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 6560 9281K ufw-after-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
4 6560 9281K ufw-after-logging-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
5 6560 9281K ufw-reject-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
6 6560 9281K ufw-track-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8 packets, 320 bytes)
num pkts bytes target prot opt in out source destination
1 34644 6069K ufw-before-logging-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
2 34644 6069K ufw-before-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 3112 513K ufw-after-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
4 3112 513K ufw-after-logging-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
5 3112 513K ufw-reject-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
6 3112 513K ufw-track-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
2 0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
3 0 0 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
4 0 0 ufw-skip-to-policy-input 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
5 3 1002 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
6 0 0 ufw-skip-to-policy-input 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
7 0 0 ufw-skip-to-policy-input 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
1 172 5871 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 31 1888 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
3 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
4 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
5 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
6 0 0 ufw-user-forward 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 203 24100 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
2 22465 21M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 10 520 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
4 10 520 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
5 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
6 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
7 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
8 0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
9 0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
10 901 107K ufw-not-local 0 -- * * 0.0.0.0/0 0.0.0.0/0
11 268 60767 ACCEPT 17 -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
12 0 0 ACCEPT 17 -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
13 633 46299 ufw-user-input 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 203 24100 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
2 11434 2256K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3 1008 192K ufw-user-output 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
num pkts bytes target prot opt in out source destination
1 10 520 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
2 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
num pkts bytes target prot opt in out source destination
1 447 28568 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
2 445 66431 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
3 9 12067 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
4 0 0 ufw-logging-deny 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
5 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
num pkts bytes target prot opt in out source destination
1 3 1002 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 255 15300 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
2 745 176K ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
num pkts bytes target prot opt in out source destination
1 1 60 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1714:1764
2 5 9281 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1714:1764
3 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
4 0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22
Chain ufw-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
num pkts bytes target prot opt in out source destination$ sudo iptables -nvL --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination @Lone_Wolf
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether f4:8e:38:a5:a9:34 brd ff:ff:ff:ff:ff:ff
altname enxf48e38a5a934
inet 192.168.1.76/24 brd 192.168.1.255 scope global dynamic noprefixroute enp2s0
valid_lft 86002sec preferred_lft 86002sec
inet6 fe80::fe8e:ede7:a7d:7df8/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb state DOWN group default qlen 1000
link/ether 52:54:00:6f:bf:05 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever$ ip r
default via 192.168.1.1 dev enp2s0 proto dhcp src 192.168.1.76 metric 100
192.168.1.0/24 dev enp2s0 proto kernel scope link src 192.168.1.76 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown $ ip -6 r
fe80::/64 dev enp2s0 proto kernel metric 1024 pref mediumEDIT: @Lone_Wolf do I need to input the commands again inside the VM and post?
Last edited by Erwin Iosef (2024-12-29 13:11:28)
Offline
#7 2024-12-29 13:08:38
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
Quick question, do pinging users work on this site? If so, is there a prefix you need to add before the username?
Offline
#8 2024-12-29 13:22:12
- Lone_Wolf
- Administrator
- From: Netherlands, Europe
- Registered: 2005-10-04
- Posts: 14,574
Re: [SOLVED](G)UFW rules for QEMU VMs
Pinging users doesn't work, but the meaning of @username is understood.
If you want an email notification of new posts, use 'subscribe to this topic' (bottom right).
EDIT: @Lone_Wolf do I need to input the commands again inside the VM and post?
Not anymore , the output matches what I expected. It does appear this is not a routing/dns issue .
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
#9 2024-12-29 13:25:38
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
Pinging users doesn't work, but the meaning of @username is understood.
If you want an email notification of new posts, use 'subscribe to this topic' (bottom right).
Oh okay, thanks.
Not anymore , the output matches what I expected. It does appear this is not a routing/dns issue .
I see, now what? Wait for macromal's reply?
Offline
#10 2024-12-29 13:50:24
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED](G)UFW rules for QEMU VMs
The problem is that UFW has overwritten all the rules of libvirt.
The default NAT network rules of libvirt are as follows:
TABLE FILTER
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
3841 335K LIBVIRT_INP 0 -- * * 0.0.0.0/0 0.0.0.0/0
...
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
62626 136M LIBVIRT_FWX 0 -- * * 0.0.0.0/0 0.0.0.0/0
62626 136M LIBVIRT_FWI 0 -- * * 0.0.0.0/0 0.0.0.0/0
26873 7624K LIBVIRT_FWO 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 37 packets, 18873 bytes)
pkts bytes target prot opt in out source destination
2054 327K LIBVIRT_OUT 0 -- * * 0.0.0.0/0 0.0.0.0/0
...
Chain LIBVIRT_FWO (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT 0 -- virbr8 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
26873 7624K ACCEPT 0 -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 REJECT 0 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- virbr8 virbr8 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_INP (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 17 -- virbr8 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT 6 -- virbr8 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT 17 -- virbr8 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT 6 -- virbr8 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
0 0 ACCEPT 17 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT 6 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
11 3292 ACCEPT 17 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT 6 -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
Chain LIBVIRT_OUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 17 -- * virbr8 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT 6 -- * virbr8 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT 17 -- * virbr8 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT 6 -- * virbr8 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
0 0 ACCEPT 17 -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT 6 -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
11 3608 ACCEPT 17 -- * virbr0 0.0.0.0/0 0.0.0.0/0 udp dpt:68
0 0 ACCEPT 6 -- * virbr0 0.0.0.0/0 0.0.0.0/0 tcp dpt:68
TABLE NAT
Chain PREROUTING (policy ACCEPT 1868 packets, 118K bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 8 packets, 2368 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 63 packets, 4909 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 58 packets, 4468 bytes)
pkts bytes target prot opt in out source destination
165 29863 LIBVIRT_PRT 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain LIBVIRT_PRT (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- * * 192.168.122.0/24 224.0.0.0/24
0 0 RETURN 0 -- * * 192.168.122.0/24 255.255.255.255
95 10035 MASQUERADE 6 -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
12 15360 MASQUERADE 17 -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE 0 -- * * 192.168.122.0/24 !192.168.122.0/24There are several possible solutions:
Configure the Custom NAT-based network. This way, I understand that you can set it up to your liking.
Use another firewall that works with libvirt, like arno-iptables-firewall: AUR package.
If you don't start the default network at boot, but rather after the UFW rules, libvirt will likely overwrite the UFW rules and the network will work.
Another solution with UFW that I am not aware of.
Last edited by macromal (2024-12-29 14:05:58)
Offline
#11 2024-12-29 13:56:12
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
@macromal Thanks for your reply.
I think I'll go with the safest solution, I just want my network to work with a stable firewall, I'm not really good at configuring networks.
How can I do the third solution you mentioned?
Offline
#12 2024-12-29 14:11:36
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED](G)UFW rules for QEMU VMs
This is an assumption, it may not work.
You can do it from Virt-manager or with libvirt.
Disable the automatic startup of the default network:
virsh -c qemu:///system net-autostart --network default --disableStart the default network:
virsh -c qemu:///system net-start --network defaultOffline
#13 2024-12-29 14:23:51
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
I ran the commands on my host CLI and it didn't work. For reference, my ufw profile is set to home with incoming=Deny and Outgoing=Allow.
Also I ran systemctl --list-dependencies and I found that ufw did start later after libvirtd in the tree.
Offline
#14 2024-12-29 14:27:39
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED](G)UFW rules for QEMU VMs
You must restart before the computer.
Offline
#15 2024-12-29 15:28:24
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
I restarted my computer after applying the commands and it didn't work
Why disable the autostart? Would'nt it have me manually start the network each time I reboot?
Last edited by Erwin Iosef (2024-12-29 15:29:39)
Offline
#16 2024-12-29 15:32:58
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
You must restart before the computer.
Typo?
Offline
#17 2024-12-29 15:36:36
- macromal
- Member
- Registered: 2024-08-03
- Posts: 40
- Website
Re: [SOLVED](G)UFW rules for QEMU VMs
It is only necessary to start the network.
I told you it was an assumption and it might not work.
Last edited by macromal (2024-12-29 15:52:52)
Offline
#18 2024-12-29 16:01:30
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
Yeah.. Damn.
Another user had the same problem and fixed via allowing DHCP ports(I tried what I could and that too didn't work)
Last edited by Erwin Iosef (2024-12-29 16:03:01)
Offline
#19 2024-12-29 17:04:55
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
@Lone_Wolf any suggestions?
Offline
#21 2024-12-29 17:30:33
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
I tried that's why I'm here lol.
Thanks for your help btw, I appreciate it.
EDIT: gufw report section shows dnsmasq showing ports 53, 67 and 68, I allowed them all and still it doesn't work
Last edited by Erwin Iosef (2024-12-29 17:39:53)
Offline
#22 2024-12-30 08:14:39
- Erwin Iosef
- Member
- Registered: 2024-05-22
- Posts: 92
Re: [SOLVED](G)UFW rules for QEMU VMs
So, I replaced ufw with firewalld and it was way more convenient with the home zone and removed my problem. Although it may feel like a defeat, for future readers with the same problem, maybe try opening the dhcp ports(67/68), and 547,546 that's all I gathered for now, feel free to post a solution btw, thanks 
Marking as solved for now.
Offline