1 Experimental software, only used for testing!
2 =============================================
8 VM firewall rules are read from:
10 /etc/pve/firewall/<VMID>.fw
12 Cluster wide rules and security group are read from:
14 /etc/pve/firewall/cluster.fw
16 Host firewall rules are read from:
18 /etc/pve/local/host.fw
20 You can find examples in the example/ dir
23 Use the following command to mange the firewall:
25 To test the firewall configuration:
29 To start or update the firewall:
33 To update the firewall rules (the firewall is not started if it
34 is not already running):
43 Implementation details
44 ======================
46 We write iptables rules directly, an generate the following chains
47 as entry points in the 'forward' table:
53 We do not touch other (user defined) chains.
55 Each VM can have its own firewall definition file in
57 /etc/pve/firewall/<VMID>.fw
59 That file has a section [RULES] to define firewall rules.
61 Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
64 * ACTION: action or macro
65 * IFACE: vm network interface (net0 - net5), or '-' for all interfaces
66 * SOURCE: source IP address, or '-' for any source
67 * DEST: dest IP address, or '-' for any destination address
68 * PROTO: see /etc/protocols
69 * D-PORT: destination port
72 A rule for inbound traffic looks like this:
76 Outbound rules looks like:
83 There are a number of restrictions when using iptables to filter
84 bridged traffic. The physdev match feature does not work correctly
85 when traffic is routed from host to bridge:
87 * when a packet being sent through a bridge entered the firewall on another interface
88 and was being forwarded to the bridge.
90 * when a packet originating on the firewall itself is being sent through a bridge.
92 So we disable the firewall if we detect such case (bridge with assigned IP address).
93 You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
95 The correct workaround is to remove the IP address from the bridge device, and
96 use a veth device which is plugged into the bridge:
98 ---/etc/network/interfaces----
103 iface vmbr0 inet manual
108 # this create the veth device and plug it into vmbr0
110 iface pm0 inet static
111 address 192.168.10.10
112 netmask 255.255.255.0
117 iface vmbr1 inet manual
122 # setup masqueraded bridge port vmbr1/pm1 using pm0
123 # NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
125 iface pm1 inet static
127 netmask 255.255.255.0
133 --------------------------------