Even with bridged networking, a KVM (libvirtd) guest can't be reached from the network (except by the KVM host machine). The two ways to deal with this on a Debian or Debian derived (e.g. Ubuntu) system are as follows:
This solution provides minimal access to bridged guests. It does not disable netfilter on the bridge. It does require the guest to have a static IP address, as it won't be able to receive one from the local network.
Modify /etc/ufw/before.rules to add a FORWARD rule with the guest's IP address:
# allow all traffic to 10.1.0.81
-A FORWARD -d 10.1.0.81 -j ACCEPT