How to disable any virbr0 connections with firewalld?

Hello,

I am a new user of Fedora 30. I connect my laptop through wifi provided by smartphone hotspot (Android)

My computing equipment was compromised, and this is what motivated me to adopt Fedora.

I configured my firewall to the block zone, and through nmcli, I set the connection to be private. I have no incoming connections to the machine in any other way, and I really would prefer to have no incoming connections. Everything was working fine until a couple of days ago, when “nmcli con” reported a secondary connection “virbr0.” I am not well versed in networking, but I think this has something to do with a digital bridge.

Again, I am not doing anything to connect into the laptop from any device, so I am puzzled by this “virbr0” connection. I deleted it, and it keeps popping up.

Could you help me figure out how I would block/disable this type of device with the firewall? Or any other way? I am just using an internal wireless card to connect wirelessly to the smartphone, which gives me the connection through hotspot.

Thank you

This is a virtual network switch, it is created by libvirt and its purpose is to provide networking for your virtual machines.
If you don’t intend to run any VMs, you can stop and disable the libvirt daemon (as root):
systemctl stop libvirtd && systemctl disable libvirtd

(you don’t have to though, it doesn’t expose your computer to some outside network, it sits behind your physical adapters)

1 Like

Thank you alexpl. I followed your instructions, and then I started the NetworkManager, and unfortunately the interface was still there. Then I deleted, and the profile would be recreated right after. The image below shows what was happened. Please take a look:

Do you have other advice for me? Or is there other information I can provide to you to help you help me?

Thank you

If you are dead set on removing the bridge and you are certain that you won’t run any VMs (or you’ll remember what you need to undo), you can use either brctl from bridge-utils or the tools from iproute2.
# bridge link
should show you your existing bridges and with
# ip link delete <bridge_name> type bridge
you should be able to delete it. The bridge name will be something like “virbr0-nic”.
I never needed to do that in Fedora, so I don’t know if there’s some daemon or something that might recreate it.

In any case, I don’t think you will gain anything by deleting it, security-wise. It’s as if you had managed to cram a switch inside your computer, behind it’s network ports. When no VM is running, nothing is plugged into the switch and the device does not consume any resources. Heck, even if you wanted to allow incoming traffic to a running VM, you would have to jump through so many hoops and explicitly change several configuration options, that I couldn’t realistically consider it an attractive attack vector…