Firewall for only one VM possible?

[mailinglists]

Hi guys,

Is it possible to have firewall enabled only for one KVM VM and not for whole server?
Currently it seems it stops working, if I disable firewall on a global level (Datacenter).

 

[wolfgang]

Hi,

Yes you can do this.
Enable Firewall on Data-center level and set in Input and Output Policy to Accept.
Enable Firewall on Node level.
Firewall on VM vnic and configure your settings.

 

[mailinglists]

Thank you for your answer wolfgang.

However my question was, if firewall on Data-center can be disabled (it creates chains which I do not want or need, chains like: PVEFW-*) at the same time have it enabled just for VM (tap*i*-*).

And to answer myself, no it's _not_ possible because VM specific chains use global iptables chains. For example:

root@p21:~# iptables -t filter -L tap102i0-OUT | grep PVEFW
PVEFW-SET-ACCEPT-MARK  udp  --  anywhere  anywhere  [goto]  udp spt:bootpc dpt:bootps
DROP  all  --  anywhere  anywhere  ! match-set PVEFW-102-ipfilter-net0-v4 src
PVEFW-Drop  all  --  anywhere  anywhere

But I can live with that.