crc icon indicating copy to clipboard operation
crc copied to clipboard

Published 20 hours ago verified publisher icon crc-org

Use firewall-cmd instead of haproxy?

Open cfergeau opened this issue 4 years ago • 6 comments

Following an internal discussion, an alternative to configuring haproxy to forward requests to the VM is to use firewall-cmd to forward external requests on port 443/80/.. to the VM:

firewall-cmd --add-forward-port=port=443:proto=tcp:toaddr=$(crc ip):toport=443
firewall-cmd --add-forward-port=port=6443:proto=tcp:toaddr=$(crc ip):toport=6443
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=$(crc ip):toport=80
firewall-cmd --direct --passthrough ipv4 -I FORWARD -i crc -j ACCEPT
firewall-cmd --direct --passthrough ipv4 -I FORWARD -o crc -j ACCEPT

Not implying this is better, but recording this here so that this is not forgotten and can be considered.

cfergeau avatar Aug 24 '21 13:08 cfergeau

I tested this and it appears to work for me. I take no credit for this, as these are the same basic rules that are used by the ocp4_setup_upi_kvm script.

jmazzitelli avatar Aug 24 '21 13:08 jmazzitelli

This might allow us to use user network mode on Linux also, only problem is does this firewall cmd available to all distro or we need iptables cli along with firewall command.

praveenkumar avatar Aug 24 '21 14:08 praveenkumar

@robin-owen FYI

gbraad avatar Aug 26 '21 13:08 gbraad

With usermode networking, the daemon by default listens on all interfaces. On my RHEL box it's firewalld which prevents external access. These commands are enough to allow external access:

firewall-cmd --zone=public --add-port=2222/tcp
firewall-cmd --zone=public --add-service=https
firewall-cmd --zone=public --add-service=http

(to be adjusted depending on what you want to access :)

cfergeau avatar Sep 08 '21 13:09 cfergeau

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Nov 08 '21 08:11 stale[bot]

With usermode networking, the daemon by default listens on all interfaces. On my RHEL box it's firewalld which prevents external access. These commands are enough to allow external access:

firewall-cmd --zone=public --add-port=2222/tcp
firewall-cmd --zone=public --add-service=https
firewall-cmd --zone=public --add-service=http

(to be adjusted depending on what you want to access :)

How property and config?. CRC view and host? i did it, but my crc remote don't work.

Kalinins93 avatar Jul 29 '22 08:07 Kalinins93

Can we have an update on this ticket please as we don't know yet what is the proper config to be used ?

cmoulliard avatar Feb 13 '23 14:02 cmoulliard

@cfergeau can you please verify this again?

gbraad avatar Feb 16 '23 08:02 gbraad