Configure FirewallD to allow bridged virtual machine network access

I have a Windows guest running on a virt-manager QEMU/KVM virtual machine.

My primary NIC eno1 is in a bridge br1 which is configured with my host IP address configuration. This VM is connected to said bridge.

My host firewall is in its default configuration: Default Zone: FedoraWorkstation

If I stop firewalld (and iptables shows empty firewall rules), the guest works correctly. Without stopping the firewall, my guest cannot communicate with the external network. (It can ping, but not make DNS requests, or TCP connections.)

How do I configure the firewall to allow full access to the guest?

This forum post suggested the following Bash script using iptables:

#!/bin/sh

# If I put bridge0 in trusted zone then firewalld allows anything from 
# bridge0 on both INPUT and FORWARD chains !
# So, I've put bridge0 back into the default public zone, and this script 
# adds rules to allow anything to and from bridge0 to be FORWARDed but not INPUT.

BRIDGE=bridge0
iptables -I FORWARD -i $BRIDGE -j ACCEPT
iptables -I FORWARD -o $BRIDGE -j ACCEPT

I’ve confirmed that this works, but I’m looking to permanently configure my firewall to achieve this behavior. Ideally, it would be done with the built-in FirewallD tools.

Solution 1:

I was having the same issue. and after digging around found that firewalld has direct passthrough to iptables

so using you can use the same forward rules you had in your script but let firewalld set them up permanently

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -i bridge0 -j ACCEPT
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o bridge0 -j ACCEPT
firewall-cmd --reload

I wish there was a way to get the same result with firewalld without directly changing iptables but I couldn't find any better solution