+[[chapter_pve_firewall]]
ifdef::manvolnum[]
-PVE({manvolnum})
-================
+pve-firewall(8)
+===============
include::attributes.txt[]
+:pve-toplevel:
NAME
----
pve-firewall - PVE Firewall Daemon
-SYNOPSYS
+SYNOPSIS
--------
include::pve-firewall.8-synopsis.adoc[]
DESCRIPTION
-----------
endif::manvolnum[]
-
ifndef::manvolnum[]
{pve} Firewall
==============
include::attributes.txt[]
+:pve-toplevel:
endif::manvolnum[]
+ifdef::wiki[]
+:title: Firewall
+endif::wiki[]
-Proxmox VE Firewall provides an easy way to protect your IT
+{pve} Firewall provides an easy way to protect your IT
infrastructure. You can setup firewall rules for all hosts
inside a cluster, or define rules for virtual machines and
containers. Features like firewall macros, security groups, IP sets
-and aliases helps to make that task easier.
+and aliases help to make that task easier.
While all configuration is stored on the cluster file system, the
`iptables`-based firewall runs on each cluster node, and thus provides
cluster nodes, and the `pve-firewall` service updates the underlying
`iptables` rules automatically on changes.
-You can configure anything using the GUI (i.e. Datacenter -> Firewall,
-or on a Node -> Firewall), or you can edit the configuration files
+You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*,
+or on a *Node* -> *Firewall*), or you can edit the configuration files
directly using your preferred editor.
Firewall configuration files contains sections of key-value
name enclosed in `[` and `]`.
+[[pve_firewall_cluster_wide_setup]]
Cluster Wide Setup
~~~~~~~~~~~~~~~~~~
firewall rules to access the GUI from remote.
-Host specific Configuration
+[[pve_firewall_host_specific_configuration]]
+Host Specific Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Host related configuration is read from:
This sections contains host specific firewall rules.
-
-VM/Container configuration
+[[pve_firewall_vm_container_configuration]]
+VM/Container Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~
VM firewall configuration is read from:
----
+[[pve_firewall_security_groups]]
Security Groups
---------------
GROUP webserver
----
-
+[[pve_firewall_ip_aliases]]
IP Aliases
----------
* inside IP set definitions
* in `source` and `dest` properties of firewall rules
-Standard IP alias `local_network`
+
+Standard IP Alias `local_network`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This alias is automatically defined. Please use the following command
local_network 1.2.3.4 # use the single ip address
----
+[[pve_firewall_ip_sets]]
IP Sets
-------
IN HTTP(ACCEPT) -source +management
+
Standard IP set `management`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This IP set applies only to host firewalls (not VM firewalls). Those
-ips are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
+IPs are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
SSH).
The local cluster network is automatically added to this IP set (alias
Standard IP set `blacklist`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Traffic from these ips is dropped by every host's and VM's firewall.
+Traffic from these IPs is dropped by every host's and VM's firewall.
----
# /etc/pve/firewall/cluster.fw
----
-[[ipfilter-section]]
+[[pve_firewall_ipfilter_section]]
Standard IP set `ipfilter-net*`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
be dropped.
For containers with configured IP addresses these sets, if they exist (or are
-activated via the general `IP Filter` option in the VM's firewall's 'options'
+activated via the general `IP Filter` option in the VM's firewall's *options*
tab), implicitly contain the associated IP addresses.
For both virtual machines and containers they also implicitly contain the
----
-Avoiding `link-local` Addresses on `tap` and `veth` Devices
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-With IPv6 enabled by default every interface gets a MAC-derived link local
-address. However, most devices on a typical {pve} setup are connected to a
-bridge and so the bridge is the only interface which really needs one.
-
-To disable a link local address on an interface you can set the interface's
-`disable_ipv6` sysconf variable. Despite the name, this does not prevent IPv6
-traffic from passing through the interface when routing or bridging, so the
-only noticeable effect will be the removal of the link local address.
-
-The easiest method of achieving this setting for all newly started VMs is to
-set it for the `default` interface configuration and enabling it explicitly on
-the interfaces which need it. This is also the case for other settings such as
-`forwarding`, `accept_ra` or `autoconf`.
-
-Here's a possible setup:
-----
-# /etc/sysconf.d/90-ipv6.conf
-
-net.ipv6.conf.default.forwarding = 0
-net.ipv6.conf.default.proxy_ndp = 0
-net.ipv6.conf.default.autoconf = 0
-net.ipv6.conf.default.disable_ipv6 = 1
-net.ipv6.conf.default.accept_ra = 0
-
-net.ipv6.conf.lo.disable_ipv6 = 0
-----
-
-----
-# /etc/network/interfaces
-(...)
-# Dual stack:
-iface vmbr0 inet static
- address 1.2.3.4
- netmask 255.255.255.128
- gateway 1.2.3.5
-iface vmbr0 inet6 static
- address fc00::31
- netmask 16
- gateway fc00::1
- accept_ra 0
- pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
-
-# With IPv6-only 'pre-up' is too early and 'up' is too late.
-# Work around this by creating the bridge manually
-iface vmbr1 inet manual
- pre-up ip link add $IFACE type bridge
- up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
-iface vmbr1 inet6 static
- address fc00:b:3::1
- netmask 96
- bridge_ports none
- bridge_stp off
- bridge_fd 0
- bridge_vlan_aware yes
- accept_ra 0
-(...)
-----
-
-
Notes on IPv6
-------------
autoconfiguration and advertising routers.
By default VMs are allowed to send out router solicitation messages (to query
-for a router), and to receive router advetisement packets. This allows them to
+for a router), and to receive router advertisement packets. This allows them to
use stateless auto configuration. On the other hand VMs cannot advertise
themselves as routers unless the ``Allow Router Advertisement'' (`radv: 1`) option
is set.
(`ipfilter: 1`) option which can be enabled which has the same effect as adding
an `ipfilter-net*` ipset for each of the VM's network interfaces containing the
corresponding link local addresses. (See the
-<<ipfilter-section,Standard IP set `ipfilter-net*`>> section for details.)
+<<pve_firewall_ipfilter_section,Standard IP set `ipfilter-net*`>> section for details.)
-Ports used by Proxmox VE
-------------------------
+Ports used by {pve}
+-------------------
* Web interface: 8006
* VNC Web console: 5900-5999
* SPICE proxy: 3128
* sshd (used for cluster actions): 22
* rpcbind: 111
-* corosync multicast (if you run a cluster): 5404, 5405 UDP
+* corosync multicast (if you run a cluster): 5404, 5405 UDP
ifdef::manvolnum[]