Per risolvere i problemi relativi al firewall con un host KVM, è possibile esaminare le regole del firewall applicabili all'host.
Ottenere l'elenco di VIF nell'host KVM
localhost.localdomain> get firewall vifs ***sample output*** Firewall VIFs ----------------------------------------------------------------------VIF count: 3 1 239140cf-6c6c-464f-96eb-dfb13203171e 2 eb277d27-0d28-4fb0-82ce-f59d86ea5bee 3 afb2aa98-85ee-4bb4-8318-d699fa84c7f0
Individuare le regole del firewall applicabili a un VIF specifico
Specificare il VIF in base a UUID (in questo esempio:
239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e ruleset rules ***sample output*** Firewall Rules ---------------------------------------------------------------------- VIF UUID : 239140cf-6c6c-464f-96eb-dfb13203171e Ruleset UUID : 7c5838e5-ab75-427d-b4dd-9452e5607805 Rule count : 5345 rule 3073 inout protocol any from any to any profile fbb4b84f-f6c1-40c5-a509-f7c6f81fe7d9 accept with log tag dns; rule 3072 inout protocol any from any to any profile 6bc09f62-a188-4e36-9708-291af7237039 accept with log tag youtube.com; rule 3072 inout protocol any from any to any profile 27b9a15b-8071-4d09-a7e8-71eecfca0779 accept with log tag youtube.com; rule 3075 inout protocol tcp from addrset 81d95211-ab77-4f2d-beaf-3e15b045fb5e to addrset 3d41a802-a899-4464-ba2b-da9240598552 port 5000 accept with log tag portlist1; rule 3075 inout protocol tcp from addrset 81d95211-ab77-4f2d-beaf-3e15b045fb5e to addrset 3d41a802-a899-4464-ba2b-da9240598552 port 4992/0xfff8 accept with log tag portlist1; rule 3075 inout protocol tcp from addrset 81d95211-ab77-4f2d-beaf-3e15b045fb5e to addrset 3d41a802-a899-4464-ba2b-da9240598552 port 4864/0xff80 accept with log tag portlist1;
Ottenere l'elenco dei set di indirizzi utilizzati in un VIF specifico
Specificare il VIF in base a UUID (in questo esempio:
239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e addrsets ***sample output*** Firewall Address Sets ---------------------------------------------------------------------- Address set count : 11 UUID : 09f6da50-bcf2-4347-91a7-df00dca003a6 Address count : 7 mac 00:50:56:81:9b:2e mac 00:0c:29:03:4d:0d mac 00:0c:29:03:4d:03 ip 10.172.177.231 ip 10.172.177.111 ip 192.168.1.11 ip 192.168.2.11
Ottenere l'elenco di APPID e FQDN utilizzati in un VIF specifico
Per controllare i profili FQDN nell'hypervisor, eseguire il comando localhost.localdomain> get firewall <vif-id> profile
.
Cercare l'URL configurato nell'interfaccia utente del criterio.
Specificare il VIF in base a UUID (in questo esempio:
239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e profile ***sample output*** Firewall Profiles ---------------------------------------------------------------------- Profiles count : 9 UUID : 87de2b6b-bdf5-49b6-bae2-824f455a21a4 Attribute count : 2 FQDN : www\.youtube\.com FQDN : .*\.microsoft\.com UUID : 68dc8321-5cb5-4cd4-b1d1-14961d71c05e Attribute count : 1 APP_ID : APP_SSL
Ottenere l'elenco di APPID e FQDN utilizzati in un VIF specifico
Specificare il VIF in base a UUID (in questo esempio:
239140cf-6c6c-464f-96eb-dfb13203171e).
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e profile ***sample output*** Firewall Profiles ---------------------------------------------------------------------- Profiles count : 9 UUID : 87de2b6b-bdf5-49b6-bae2-824f455a21a4 Attribute count : 2 FQDN : www\.youtube\.com FQDN : .*\.microsoft\.com UUID : 68dc8321-5cb5-4cd4-b1d1-14961d71c05e Attribute count : 1 APP_ID : APP_SSL
Scoprire l'FQDN nel VIF specifico
localhost.localdomain> get firewall 239140cf-6c6c-464f-96eb-dfb13203171e fqdn Firewall Profile FQDN ---------------------------------------------------------------------- Profiles count : 3 Profile UUID : 87de2b6b-bdf5-49b6-bae2-824f455a21a4 FQDN count : 2 FQDN UUID : 37efd4dd-961c-4756-afdd-ec04f44b6c10 Value : www\.youtube\.com IP set : 172.217.6.46
Controllare le connessioni tramite il modulo Conntrack di Linux.
In questo esempio, vengono cercati flussi tra due indirizzi IP specifici.
ovs-appctl dpctl/dump-conntrack -m | grep 192.168.1.15 | grep 192.168.1.16 icmp,orig=(src=192.168.1.15,dst=192.168.1.16,id=7972,type=8,code=0), reply=(src=192.168.1.16,dst=192.168.1.15,id=7972,type=0,code=0), id=2901517888,zone=61437,status=SEEN_REPLY|CONFIRMED,mark=2083,labels=0x1f
Controllare i ruoli e i profili FQDN negli host KVM
Le regole del firewall possono essere create per filtrare domini specifici con FQDN/URL. Per controllare i profili FQDN nell'hypervisor, eseguire il comando localhost.localdomain> get firewall <vif-id> profile. Cercare l'URL configurato nell'interfaccia utente del criterio.
Output nsxcli di esempio per il profilo di contesto pubblicato con voci APP_ID e FQDN:
localhost.localdomain> get firewall 989bdcf6-c6fc-47cd-86a3-367e552dba32 profile Firewall Profiles ---------------------------------------------------------------------- Profiles count : 3 UUID : b34b868e-f113-4463-84a6-14736e50168e Attribute count : 1 APP_ID : APP_HTTP UUID : c4689750-d5e1-41f5-ba2c-0bfc846ed494 Attribute count : 1 FQDN : www\.youtube\.com UUID : 77a599db-b2d3-4510-bbff-fa2bb31aceae Attribute count : 1 APP_ID : APP_DNS localhost.localdomain> get firewall 989bdcf6-c6fc-47cd-86a3-367e552dba32 fqdn Firewall Profile FQDN ---------------------------------------------------------------------- Profiles count : 1 Profile UUID : c4689750-d5e1-41f5-ba2c-0bfc846ed494 FQDN count : 1 FQDN UUID : 1c9d612c-c398-409e-b6f0-f1ec49b778fe Value : www\.youtube\.com IP set : 172.217.6.46, 172.217.164.110, 172.217.5.110, 216.58.194.206, 172.217.6.78, 172.217.0.46, 216.58.195.78, 216.58.194.174