--_000_CFEB087021B1Eniklasvireonecom_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Correction of my bad english... "can iptables be disabled if I never plan to use NAT:d guests?" --_000_CFEB087021B1Eniklasvireonecom_ Content-Type: text/html; charset="iso-8859-1" Content-ID: <F768B2C9567EA94C90DB90F44D51612D@eurprd04.prod.outlook.com> Content-Transfer-Encoding: quoted-printable <html> <head> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-= 1"> </head> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin= e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami= ly: Calibri, sans-serif;"> <div>Correction of my bad english…</div> <span id=3D"OLK_SRC_BODY_SECTION"> <div style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line= -break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-famil= y: Calibri, sans-serif;"> <div>"can iptables be disabled if I never plan to use NAT:d guests?&qu= ot;</div> <div><br> </div> </div> </span> </body> </html> --_000_CFEB087021B1Eniklasvireonecom_--
Yes it can be disabled, but why not just add the rules you need to make it work properly? Are you asking about iptables on the host or the guest? Are you actually using firewalld, or is it really iptables? You can add a log statement before the reject rule in /etc/sysconfig/iptables to log a message to /var/log/messages to show what is being blocked. Then you can open those ports that show up in your log as necessary. For example: http://stackoverflow.com/questions/21771684/iptables-log-and-drop-in-one-rul... HTH On Tue, Jul 15, 2014 at 10:34 AM, Niklas Fondberg <niklas@vireone.com> wrote:
Correction of my bad english... "can iptables be disabled if I never plan to use NAT:d guests?"
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Thanks. It is on my centos host which is located deep in my NW. Regards, Niklas
On 15 jul 2014, at 16:41, "White Hat" <whitehat237@gmail.com> wrote:
Yes it can be disabled, but why not just add the rules you need to make it work properly?
Are you asking about iptables on the host or the guest? Are you actually using firewalld, or is it really iptables?
You can add a log statement before the reject rule in /etc/sysconfig/iptables to log a message to /var/log/messages to show what is being blocked.
Then you can open those ports that show up in your log as necessary.
For example: http://stackoverflow.com/questions/21771684/iptables-log-and-drop-in-one-rul...
HTH
On Tue, Jul 15, 2014 at 10:34 AM, Niklas Fondberg <niklas@vireone.com> wrote: Correction of my bad english... "can iptables be disabled if I never plan to use NAT:d guests?"
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
You can modify the IPTablesConfig using engine-config utility to control what goes into host. In 3.5.0 you can use the IPTablesConfigSiteCustom in order to push some custom rules without breaking future upgrades. ----- Original Message -----
From: "Niklas Fondberg" <niklas@vireone.com> To: "White Hat" <whitehat237@gmail.com> Cc: "users" <users@ovirt.org> Sent: Tuesday, July 15, 2014 6:33:15 PM Subject: Re: [ovirt-users] iptables question
Thanks. It is on my centos host which is located deep in my NW.
Regards, Niklas
On 15 jul 2014, at 16:41, "White Hat" <whitehat237@gmail.com> wrote:
Yes it can be disabled, but why not just add the rules you need to make it work properly?
Are you asking about iptables on the host or the guest? Are you actually using firewalld, or is it really iptables?
You can add a log statement before the reject rule in /etc/sysconfig/iptables to log a message to /var/log/messages to show what is being blocked.
Then you can open those ports that show up in your log as necessary.
For example: http://stackoverflow.com/questions/21771684/iptables-log-and-drop-in-one-rul...
HTH
On Tue, Jul 15, 2014 at 10:34 AM, Niklas Fondberg <niklas@vireone.com> wrote: Correction of my bad english... "can iptables be disabled if I never plan to use NAT:d guests?"
_______________________________________________ Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
Users mailing list Users@ovirt.org http://lists.ovirt.org/mailman/listinfo/users
participants (3)
-
Alon Bar-Lev -
Niklas Fondberg -
White Hat