1 Experimental software, only used for testing!
2 =============================================
8 VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
10 Security group rules are read from /etc/pve/firewall/groups.fw
12 Host firewall rules are read from /etc/pve/local/host.fw
14 You can find examples in the example/ dir
17 Use the following command to mange the firewall:
19 To test the firewall configuration:
23 To start or update the firewall:
27 To update the firewall rules (the firewall is not started if it
28 is not already running):
37 Implementation details
38 ======================
40 We write iptables rules directly, an generate the following chains
41 as entry points in the 'forward' table:
47 We do not touch other (user defined) chains.
49 Each VM can have its own firewall definition file in
51 /etc/pve/firewall/<VMID>.fw
53 That file has a section [RULES] to define firewall rules.
55 Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
58 * ACTION: action or macro
59 * IFACE: vm network interface (net0 - net5), or '-' for all interfaces
60 * SOURCE: source IP address, or '-' for any source
61 * DEST: dest IP address, or '-' for any destination address
62 * PROTO: see /etc/protocols
63 * D-PORT: destination port
66 A rule for inbound traffic looks like this:
70 Outbound rules looks like:
77 There are a number of restrictions when using iptables to filter
78 bridged traffic. The physdev match feature does not work correctly
79 when traffic is routed from host to bridge:
81 * when a packet being sent through a bridge entered the firewall on another interface
82 and was being forwarded to the bridge.
84 * when a packet originating on the firewall itself is being sent through a bridge.
86 So we disable the firewall if we detect such case (bridge with assigned IP address).
87 You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
89 The correct workaround is to remove the IP address from the bridge device, and
90 use a veth device which is plugged into the bridge:
92 ---/etc/network/interfaces----
97 iface vmbr0 inet manual
102 # this create the veth device and plug it into vmbr0
104 iface pm0 inet static
105 address 192.168.10.10
106 netmask 255.255.255.0
111 iface vmbr1 inet manual
116 # setup masqueraded bridge port vmbr1/pm1 using pm0
117 # NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
119 iface pm1 inet static
121 netmask 255.255.255.0
127 --------------------------------