1 Experimental software, only used for testing!
2 =============================================
8 VM firewall rules are read from:
10 /etc/pve/firewall/<VMID>.fw
12 Cluster wide rules and security group are read from:
14 /etc/pve/firewall/cluster.fw
16 Host firewall rules are read from:
18 /etc/pve/local/host.fw
20 You can find examples in the example/ dir
23 Use the following command to mange the firewall:
25 To test the firewall configuration:
29 To start or update the firewall:
33 To update the firewall rules (the firewall is not started if it
34 is not already running):
43 Implementation details
44 ======================
46 We write iptables rules directly, an generate the following chains
47 as entry points in the 'forward' table:
53 We do not touch other (user defined) chains.
55 Each VM can have its own firewall definition file in
57 /etc/pve/firewall/<VMID>.fw
59 That file has a section [RULES] to define firewall rules.
61 Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
64 * ACTION: action or macro
65 * IFACE: vm network interface (net0 - net5), or '-' for all interfaces
66 * SOURCE: source IP address, or '-' for any source
67 * DEST: dest IP address, or '-' for any destination address
68 * PROTO: see /etc/protocols
69 * D-PORT: destination port
72 A rule for inbound traffic looks like this:
76 Outbound rules looks like:
83 There are a number of restrictions when using iptables to filter
84 bridged traffic. The physdev match feature does not work correctly
85 when traffic is routed from host to bridge:
87 * when a packet being sent through a bridge entered the firewall on
88 another interface and was being forwarded to the bridge.
90 * when a packet originating on the firewall itself is being sent through
93 We use a second bridge for each interface to avoid above problem.
95 eth0-->vmbr0<--tapXiY (non firewalled tap)
96 <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)