Re: [fedora-virt] bridge network with iptables running on host?

[Gene Czarcinski <gene czarc net>]

On Wednesday 02 September 2009 12:20:47 Mark McLoughlin wrote:
> On Wed, 2009-09-02 at 11:45 -0400, Gene Czarcinski wrote:
> > Just what is and is not filtered?  Is nothing filtered on the host.
>
> Not sure I understand all your questions, but with
> bridge-nf-call-iptables = 1 the iptables FORWARD filter chain is applied
> to all frames forwarded across bridges.

That does not completely answer my question.

As far as any guests using the br0 interface goes, I want no filtering ... the 
guest is assumed to provide any filtering or other protections desired.

However, as far as the hosts on which the guests run, that is a different 
matter.  My host(s) run other functions as well as qemu-kvm guests and I would 
prefer that "standard" filtering of host network I/O be performed.  Now, as a 
matter of fact, I am not that worried about filtering on any host (real or 
guest) which is connected to my local LAN since they all reside behind a 
firewall with access to the big-eye Internet.

Nevertheless, for those who DO have a host directly connected to the Internet, 
it would be "nice to know" if any filtering is being performed in the host.

I suppose I am going to have to set up some tests and see if I can figure out 
what happens.

Gene