gitignore: add build artefacts and temporary intermediate files

[pve-docs.git] / pve-firewall.adoc

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 2bcdf6e0c93e95d7c421598e2e3b1188d215c5e7..5c0d1443b737ddcc09977b64453a32a32e82b34c 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -84,7 +84,7 @@ name enclosed in `[` and `]`.
 Cluster Wide Setup
 ~~~~~~~~~~~~~~~~~~
 
-The cluster wide firewall configuration is stored at:
+The cluster-wide firewall configuration is stored at:
  
  /etc/pve/firewall/cluster.fw
 
@@ -92,13 +92,13 @@ The configuration can contain the following sections:
 
 `[OPTIONS]`::
 
-This is used to set cluster wide firewall options.
+This is used to set cluster-wide firewall options.
 
 include::pve-firewall-cluster-opts.adoc[]
 
 `[RULES]`::
 
-This sections contains cluster wide firewall rules for all nodes.
+This sections contains cluster-wide firewall rules for all nodes.
 
 `[IPSET <name>]`::
 
@@ -121,7 +121,7 @@ set the enable option here:
 
 ----
 [OPTIONS]
-# enable firewall (cluster wide setting, default is disabled)
+# enable firewall (cluster-wide setting, default is disabled)
 enable: 1
 ----
 
@@ -324,7 +324,7 @@ Standard IP set `management`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 This IP set applies only to host firewalls (not VM firewalls).  Those
-IPs are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
+IPs are allowed to do normal management tasks ({PVE} GUI, VNC, SPICE,
 SSH).
 
 The local cluster network is automatically added to this IP set (alias
@@ -426,7 +426,7 @@ following traffic is still allowed for all {pve} hosts in the cluster:
 * TCP traffic from management hosts to port 3128 for connections to the SPICE
   proxy
 * TCP traffic from management hosts to port 22 to allow ssh access
-* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP traffic in the cluster network to ports 5405-5412 for corosync
 * UDP multicast traffic in the cluster network
 * ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
   (Time Exceeded)
@@ -435,7 +435,7 @@ The following traffic is dropped, but not logged even with logging enabled:
 
 * TCP connections with invalid connection state
 * Broadcast, multicast and anycast traffic not related to corosync, i.e., not
-  coming through port 5404 or 5405
+  coming through ports 5405-5412
 * TCP traffic to port 43
 * UDP traffic to ports 135 and 445
 * UDP traffic to the port range 137 to 139
@@ -457,7 +457,7 @@ Please inspect the output of the
 
 system command to see the firewall chains and rules active on your system.
 This output is also included in a `System Report`, accessible over a node's
-subscription tab in the web GUI, or through the `pvereport` command line tool.
+subscription tab in the web GUI, or through the `pvereport` command-line tool.
 
 VM/CT incoming/outgoing DROP/REJECT
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -465,7 +465,7 @@ VM/CT incoming/outgoing DROP/REJECT
 This drops or rejects all the traffic to the VMs, with some exceptions for
 DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
 configuration.  The same rules for dropping/rejecting packets are inherited
-from the datacenter, while the exceptions for accepted incomming/outgoing
+from the datacenter, while the exceptions for accepted incoming/outgoing
 traffic of the host do not apply.
 
 Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
@@ -475,7 +475,7 @@ Logging of firewall rules
 -------------------------
 
 By default, all logging of traffic filtered by the firewall rules is disabled.
-To enable logging, the `loglevel` for incommig and/or outgoing traffic has to be
+To enable logging, the `loglevel` for incoming and/or outgoing traffic has to be
 set in *Firewall* -> *Options*. This can be done for the host as well as for the
 VM/CT firewall individually. By this, logging of {PVE}'s standard firewall rules
 is enabled and the output can be observed in *Firewall* -> *Log*.
@@ -528,7 +528,7 @@ Further, the log-level can also be set via the firewall configuration file by
 appending a `-log <loglevel>` to the selected rule (see
 xref:pve_firewall_log_levels[possible log-levels]).
 
-For example, the following two are ident:
+For example, the following two are identical:
 
 ----
 IN REJECT -p icmp -log nolog
@@ -562,7 +562,7 @@ and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot).
 Suricata IPS integration
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
-If you want to use the http://suricata-ids.org/[Suricata IPS]
+If you want to use the https://suricata-ids.org/[Suricata IPS]
 (Intrusion Prevention System), it's possible.
 
 Packets will be forwarded to the IPS only after the firewall ACCEPTed
@@ -628,13 +628,14 @@ corresponding link local addresses.  (See the
 Ports used by {pve}
 -------------------
 
-* Web interface: 8006
-* VNC Web console: 5900-5999
-* SPICE proxy: 3128
-* sshd (used for cluster actions): 22
-* rpcbind: 111
-* corosync multicast (if you run a cluster): 5404, 5405 UDP
-
+* Web interface: 8006 (TCP, HTTP/1.1 over TLS)
+* VNC Web console: 5900-5999 (TCP, WebSocket)
+* SPICE proxy: 3128 (TCP)
+* sshd (used for cluster actions): 22 (TCP)
+* rpcbind: 111 (UDP)
+* sendmail: 25 (TCP, outgoing)
+* corosync cluster traffic: 5405-5412 UDP
+* live migration (VM memory and local-disk data): 60000-60050 (TCP)
 
 ifdef::manvolnum[]