~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This IP set applies only to host firewalls (not VM firewalls). Those
-IPs are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
+IPs are allowed to do normal management tasks ({PVE} GUI, VNC, SPICE,
SSH).
The local cluster network is automatically added to this IP set (alias
* TCP traffic from management hosts to port 3128 for connections to the SPICE
proxy
* TCP traffic from management hosts to port 22 to allow ssh access
-* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP traffic in the cluster network to ports 5405-5412 for corosync
* UDP multicast traffic in the cluster network
* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
(Time Exceeded)
* TCP connections with invalid connection state
* Broadcast, multicast and anycast traffic not related to corosync, i.e., not
- coming through port 5404 or 5405
+ coming through ports 5405-5412
* TCP traffic to port 43
* UDP traffic to ports 135 and 445
* UDP traffic to the port range 137 to 139
system command to see the firewall chains and rules active on your system.
This output is also included in a `System Report`, accessible over a node's
-subscription tab in the web GUI, or through the `pvereport` command line tool.
+subscription tab in the web GUI, or through the `pvereport` command-line tool.
VM/CT incoming/outgoing DROP/REJECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
defined for the standard rules in *Firewall* -> *Options*.
While the `loglevel` for each individual rule can be defined or changed easily
-in the WebUI during creation or modification of the rule, it is possible to set
+in the web UI during creation or modification of the rule, it is possible to set
this also via the corresponding `pvesh` API calls.
Further, the log-level can also be set via the firewall configuration file by
Suricata IPS integration
~~~~~~~~~~~~~~~~~~~~~~~~
-If you want to use the https://suricata-ids.org/[Suricata IPS]
+If you want to use the https://suricata.io/[Suricata IPS]
(Intrusion Prevention System), it's possible.
Packets will be forwarded to the IPS only after the firewall ACCEPTed
* sshd (used for cluster actions): 22 (TCP)
* rpcbind: 111 (UDP)
* sendmail: 25 (TCP, outgoing)
-* corosync cluster traffic: 5404, 5405 UDP
+* corosync cluster traffic: 5405-5412 UDP
* live migration (VM memory and local-disk data): 60000-60050 (TCP)
ifdef::manvolnum[]