docs: explain virbr0 firewalld zone and WARP/SSH-only gotcha#5
Open
docs: explain virbr0 firewalld zone and WARP/SSH-only gotcha#5
Conversation
VM-originated traffic enters hero on virbr0 in the libvirt firewalld zone, not public. Only dhcp/dns/ssh/tftp are admitted there by default, so any WARP path that terminates in a VM (e.g. the warp-connector cloudflared pod in the k3s VM) silently fails for non-SSH host ports while LAN clients reach the same ports through the public zone. Document the zone split, the symptom, and the firewall-cmd fix; note that the libvirt provider has no firewalld resource and durable changes belong in ansible-site-cluster. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
libvirt, onvirbr0) than LAN traffic (public, onenp7s0).k3sVM (thewarp-connectorcloudflared pod) and re-enters hero throughvirbr0. Only ports admitted by thelibvirtzone get a SYN-ACK. SSH is in the default allowlist, so it "just works"; everything else is silently rejected. From the LAN the same destination port reachespublicand works, which masks the asymmetry.firewall-cmd --zone=libvirt --add-port=...recipe and note that thedmacvicar/libvirtprovider has no firewalld resource, so durable host-firewall config belongs inansible-site-cluster.Context
Hit this debugging hero:8080 over WARP — port 22 worked, every other port returned
Network is unreachable. Cloudflare-side audit (Gateway rules, Access apps, infrastructure targets, split-tunnel) showed no port-22 gating anywhere. Packet capture on hero traced the SYNs to192.168.122.0/24arriving onvirbr0, where the libvirt zone's defaultpriority=32767 rejectrich rule was silently dropping all but the allowlisted services. Fix on hero was a one-liner; this PR captures the gotcha so the next person doesn't burn the same hour.Test plan
libvirtzone (already verified for8080/tcpon hero).