]>
Commit | Line | Data |
---|---|---|
f4bf58dd DM |
1 | Experimental software, only used for testing! |
2 | ============================================= | |
ec6b1100 | 3 | |
5e1267a5 | 4 | |
f4bf58dd DM |
5 | Quick Intro |
6 | =========== | |
5e1267a5 | 7 | |
36166ca9 | 8 | VM firewall rules are read from: |
ec6b1100 | 9 | |
36166ca9 | 10 | /etc/pve/firewall/<VMID>.fw |
e51bd2aa | 11 | |
36166ca9 DM |
12 | Cluster wide rules and security group are read from: |
13 | ||
14 | /etc/pve/firewall/cluster.fw | |
15 | ||
16 | Host firewall rules are read from: | |
17 | ||
18 | /etc/pve/local/host.fw | |
e51bd2aa | 19 | |
ec6b1100 DM |
20 | You can find examples in the example/ dir |
21 | ||
5e1267a5 | 22 | |
e51bd2aa DM |
23 | Use the following command to mange the firewall: |
24 | ||
25 | To test the firewall configuration: | |
ec6b1100 DM |
26 | |
27 | ./pvefw compile | |
28 | ||
e51bd2aa | 29 | To start or update the firewall: |
5e1267a5 DM |
30 | |
31 | ./pvefw start | |
32 | ||
e51bd2aa DM |
33 | To update the firewall rules (the firewall is not started if it |
34 | is not already running): | |
5e1267a5 | 35 | |
e51bd2aa | 36 | ./pvefw update |
5e1267a5 DM |
37 | |
38 | To stop the firewall: | |
39 | ||
40 | ./pvefw stop | |
41 | ||
f4bf58dd DM |
42 | |
43 | Implementation details | |
44 | ====================== | |
45 | ||
e51bd2aa DM |
46 | We write iptables rules directly, an generate the following chains |
47 | as entry points in the 'forward' table: | |
48 | ||
49 | PVEFW-INPUT | |
50 | PVEFW-OUTPUT | |
51 | PVEFW-FORWARD | |
52 | ||
53 | We do not touch other (user defined) chains. | |
f4bf58dd DM |
54 | |
55 | Each VM can have its own firewall definition file in | |
56 | ||
57 | /etc/pve/firewall/<VMID>.fw | |
58 | ||
e51bd2aa | 59 | That file has a section [RULES] to define firewall rules. |
f4bf58dd | 60 | |
e51bd2aa | 61 | Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT |
f4bf58dd | 62 | |
e51bd2aa DM |
63 | * TYPE: IN|OUT|GROUP |
64 | * ACTION: action or macro | |
f4bf58dd DM |
65 | * IFACE: vm network interface (net0 - net5), or '-' for all interfaces |
66 | * SOURCE: source IP address, or '-' for any source | |
67 | * DEST: dest IP address, or '-' for any destination address | |
68 | * PROTO: see /etc/protocols | |
69 | * D-PORT: destination port | |
70 | * S-PORT: source port | |
71 | ||
e51bd2aa | 72 | A rule for inbound traffic looks like this: |
b486ed3b | 73 | |
e51bd2aa | 74 | IN SSH(ACCEPT) net0 |
b486ed3b DM |
75 | |
76 | Outbound rules looks like: | |
77 | ||
e51bd2aa | 78 | OUT SSH(ACCEPT) |
b486ed3b | 79 | |
b9b06789 | 80 | Problems |
8fb53d8c DM |
81 | =================== |
82 | ||
e51bd2aa DM |
83 | There are a number of restrictions when using iptables to filter |
84 | bridged traffic. The physdev match feature does not work correctly | |
85 | when traffic is routed from host to bridge: | |
8fb53d8c | 86 | |
fb8f4a70 DM |
87 | * when a packet being sent through a bridge entered the firewall on |
88 | another interface and was being forwarded to the bridge. | |
8fb53d8c | 89 | |
fb8f4a70 DM |
90 | * when a packet originating on the firewall itself is being sent through |
91 | a bridge. | |
8fb53d8c | 92 | |
fb8f4a70 | 93 | We use a second bridge for each interface to avoid above problem. |
c27d58f3 | 94 | |
fb8f4a70 DM |
95 | eth0-->vmbr0<--tapXiY (non firewalled tap) |
96 | <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap) |