Based on what you describe, it seems that IPv6 is not being filtered at all. Regarding IPv4, I guess you need to add also INPUT rules, not just forwarding.

It seems that firewalld is segmenting your network zones blocking traffic where it should not. Maybe it is overkill to use firewalld, as you will not be modifying your rules dynamically. When I started to use firewalld I found it easier to write scripts using iptables, and once the firewall was running fine, I translated the rules to XML in firewalld.

I also find it easier to edit the /etc/firewalld/zones/*.xml files directly rather than using the CLI, then reload with "firewall-cmd --reload". Typically "INPUT" rules will be in the "public.xml" (or Fedora*.xml) file, and forward and NAT rules in /etc/firewalld/direct.xml. You can also add comments in this way (via <!-- ... -->).

In your case, if the only thing you want is to control incoming IPs, it may be enough to run a small script with iptables than to deploy the full firewalld with a configuration that will disable most of it anyway.

Carlos

On Sat, Jan 2, 2021 at 12:03 PM Peter Boy <pboy@uni-bremen.de> wrote:
I’m working on a configuration to make multiple VMs accessible via public IPv4 and IPv6 addresses. The Internet provider routes all addresses (IPv4 and IPv6 subnets) to the MAC address of the physical adapter. So I have to route to the VMs on the server (Fedora Server 32). The more common bridge solution for direct VM access doesn’t work. I have configured the physical interface (enp3s0) accordingly and attached a virtual bridge (vbr3s0) to which the VMs connect. In addition, there is a libvirt bridge for private communication between VM's. 


Everything works great as long as firewalld is *stopped*.


The goal is to configure the host firewall so that everything is forwarded by default and the VM's firewall controls the specific access. At the same time, it should be possible to restrict access for individual IPs to certain ports (these IPs provide public access for containers instead of VMs).


Unfortunately, I'm not that familiar with firewalld. I found the following solution options

(a)
Place the bridge (vbr3s0) in a zone providing target=ACCEPT, e.g. trusted or nm-shared.
In this way, routing works for IPv6, but not for IPv4.

(b)
Defining "direct rules" for forwarding. Various posts all boiled down to:

[...]# firewall-cmd --direct  --get-all-rules
ipv4 filter FORWARD 0 -i enp3s0 -o vbr3s0 -j ACCEPT
ipv4 filter FORWARD 0 -i vbr3s0 -o enp3s0 -j ACCEPT

Unfortunately, IPv4 still does not work with these rules either. Obviously, I have missed something.



Unfortunately I am not getting any further and would be very appreciative of any help.


Thanks
Peter





My IP configuration

2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 30:85:a9:ee:23:d4 brd ff:ff:ff:ff:ff:ff
    inet 144.76.7.86/32 scope global noprefixroute enp3s0
       valid_lft forever preferred_lft forever
    inet6 2a01:4f8:190:8255::2/128 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::3285:a9ff:feee:23d4/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: vbr3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 8e:5d:9f:58:45:4b brd ff:ff:ff:ff:ff:ff
    inet 144.76.7.86/32 scope global noprefixroute vbr3s0
       valid_lft forever preferred_lft forever
    inet6 2a01:4f8:190:8255::2/64 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::8c5d:9fff:fe58:454b/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
4: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:c9:33:cc brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel master virbr0 state DOWN group default qlen 1000
    link/ether 52:54:00:c9:33:cc brd ff:ff:ff:ff:ff:ff
6: vnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master vbr3s0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:80:ea:aa brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fe80:eaaa/64 scope link
       valid_lft forever preferred_lft forever
7: vnet1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master virbr0 state UNKNOWN group default qlen 1000
    link/ether fe:54:00:7f:46:50 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc54:ff:fe7f:4650/64 scope link
       valid_lft forever preferred_lft forever


My zones so far:

[...]# firewall-cmd --get-active-zones
FedoraServer
  interfaces: enp3s0
libvirt
  interfaces: virbr0
trusted
  interfaces: vbr3s0
_______________________________________________
server mailing list -- server@lists.fedoraproject.org
To unsubscribe send an email to server-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/server@lists.fedoraproject.org