NAME
----
-pve-firewall - The PVE Firewall Daemon
+pve-firewall - PVE Firewall Daemon
SYNOPSYS
include::attributes.txt[]
endif::manvolnum[]
-// Copied from pve wiki: Revision as of 08:45, 9 November 2015
-
Proxmox VE Firewall provides an easy way to protect your IT
-infrastructure. You can easily setup firewall rules for all hosts
+infrastructure. You can setup firewall rules for all hosts
inside a cluster, or define rules for virtual machines and
containers. Features like firewall macros, security groups, IP sets
-and aliases help making that task easier.
+and aliases helps to make that task easier.
While all configuration is stored on the cluster file system, the
iptables based firewall runs on each cluster node, and thus provides
this system also provides much higher bandwidth than a central
firewall solution.
-NOTE: If you enable the firewall, all traffic is blocked by default,
-except WebGUI(8006) and ssh(22) from your local network.
-
The firewall has full support for IPv4 and IPv6. IPv6 support is fully
transparent, and we filter traffic for both protocols by default. So
there is no need to maintain a different set of rules for IPv6.
All firewall related configuration is stored on the proxmox cluster
file system. So those files are automatically distributed to all
cluster nodes, and the 'pve-firewall' service updates the underlying
-iptables rules automatically on changes. Any configuration can be
-done using the GUI (i.e. Datacenter -> Firewall -> Options tab (tabs
-at the bottom of the page), or on a Node -> Firewall), so the
-following configuration file snippets are just for completeness.
+iptables rules automatically on changes.
+
+You can configure anything using the GUI (i.e. Datacenter -> Firewall,
+or on a Node -> Firewall), or you can edit the configuration files
+directly using your preferred editor.
-All firewall configuration files contains sections of key-value
+Firewall configuration files contains sections of key-value
pairs. Lines beginning with a '#' and blank lines are considered
comments. Sections starts with a header line containing the section
name enclosed in '[' and ']'.
+
Cluster Wide Setup
~~~~~~~~~~~~~~~~~~
This is used to set cluster wide firewall options.
-NOTE: The firewall is completely disabled by default, so you need to
-set the enable option here:
-----
-[OPTIONS]
-# enable firewall (cluster wide setting, default is disabled)
-enable: 1
-----
+include::pve-firewall-cluster-opts.adoc[]
'[RULES]'::
Cluster wide Alias definitions.
+
+Enabling the Firewall
+^^^^^^^^^^^^^^^^^^^^^
+
+The firewall is completely disabled by default, so you need to
+set the enable option here:
+
+----
+[OPTIONS]
+# enable firewall (cluster wide setting, default is disabled)
+enable: 1
+----
+
+IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by
+default. Only exceptions is WebGUI(8006) and ssh(22) from your local
+network.
+
+If you want to administrate your {pve} hosts from remote, you
+need to create rules to allow traffic from those remote IPs to the web
+GUI (port 8006). You may also want to allow ssh (port 22), and maybe
+SPICE (port 3128).
+
+TIP: Please open a SSH connection to one of your {PVE} hosts before
+enabling the firewall. That way you still have access to the host if
+something goes wrong .
+
+To simplify that task, you can instead create an IPSet called
+'management', and add all remote IPs there. This creates all required
+firewall rules to access the GUI from remote.
+
+
Host specific Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is useful if you want to overwrite rules from 'cluster.fw'
config. You can also increase log verbosity, and set netfilter related
-options.
+options. The configuration can contain the following sections:
+
+'[OPTIONS]'::
+
+This is used to set host related firewall options.
+
+include::pve-firewall-host-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains host specific firewall rules.
VM/Container configuration
and contains the following data:
-* IP set definitions
-* Alias definitions
-* Firewall rules for this VM
-* VM specific options
+'[OPTIONS]'::
+
+This is used to set VM/Container related firewall options.
+
+include::pve-firewall-vm-opts.adoc[]
+
+'[RULES]'::
+
+This sections contains VM/Container firewall rules.
+
+'[IPSET <name>]'::
+
+IP set definitions.
+
+'[ALIASES]'::
+
+IP Alias definitions.
Enabling the Firewall for VMs and Containers
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-You need to enable the firewall on the virtual network interface configuration
-in addition to the general 'Enable Firewall' option in the 'Options' tab.
+Each virtual network device has its own firewall enable flag. So you
+can selectively enable the firewall for each interface. This is
+required in addition to the general firewall 'enable' option.
+
+The firewall requires a special network device setup, so you need to
+restart the VM/container after enabling the firewall on a network
+interface.
Firewall Rules
----
# /etc/network/interfaces
(...)
+# Dual stack:
+iface vmbr0 inet static
+ address 1.2.3.4
+ netmask 255.255.255.128
+ gateway 1.2.3.5
iface vmbr0 inet6 static
address fc00::31
netmask 16
gateway fc00::1
accept_ra 0
pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
+
+# With IPv6-only 'pre-up' is too early and 'up' is too late.
+# Work around this by creating the bridge manually
+iface vmbr1 inet manual
+ pre-up ip link add $IFACE type bridge
+ up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
+iface vmbr1 inet6 static
+ address fc00:b:3::1
+ netmask 96
+ bridge_ports none
+ bridge_stp off
+ bridge_fd 0
+ bridge_vlan_aware yes
+ accept_ra 0
(...)
----