Nobody talking about foomuuri...many asking for fine-grained alternative to firewalld

forgive please, my lack of terminology or any concept. im not pro.

am i missing something? there is very little talk about a fairly new firewall frontend for nftables. it seems nice?
package foomuuri-firewalld also uses dbus.

i use virt-manager and have NAT for network, it uses virbr0 interface. i noticed other people mentioning difficulty setting up NAT with nftables?

libvirt’s xml files in the firewalld folder show protocol names that i thought needed to be adapted for foomuuri to process (like ‘domain’ / ‘domain-s’ instead of ‘dns’, and ‘dhcp-client’ / ‘dhcp-server’ instead of ‘dhcp’, etc…) is that correct?

systemd showed services dont cancel eachother out (nftables and foomuuri load and start together, but nftables have to be manually enabled.) is that a conflict, or mistake?

any advice to secure NAT with nftables or any of the above mentioned. or even just thoughts…

thanks for reading.

finally, any advice on how to block specific ip’s this way, or the firewalld way.

What do you mean by “secure NAT”?

I protect my home with a Fedora server based firewall using firewalld.

For me it is easy to configure NAT and its secure against threats from outsider.

1 Like

Provided the default libvirt and firewalld configs in Fedora, NAT for the guest network should work OOTB.

Related issues are likely caused by some kind of race condition, so those affected can try the following workaround:

sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --permanent --zone=libvirt --add-interface=virbr0
sudo firewall-cmd --reload

If the problem persists, it is best to properly isolate and troubleshoot.

Keep in mind that security should follow threat modeling no matter what firewall you use.