X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pve-firewall.adoc;h=07813344860213b086ee43b619e1ab44ddfefcc2;hb=7d6078845fa6a3bd308c7dc843273e56be33f315;hp=acaca95934ce161caebc97757863d95441d6c62d;hpb=b3234584397d064a8f75f4b01b08da6879563549;p=pve-docs.git diff --git a/pve-firewall.adoc b/pve-firewall.adoc index acaca95..0781334 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -35,7 +35,7 @@ containers. Features like firewall macros, security groups, IP sets and aliases help to make that task easier. While all configuration is stored on the cluster file system, the -`iptables`-based firewall runs on each cluster node, and thus provides +`iptables`-based firewall service runs on each cluster node, and thus provides full isolation between virtual machines. The distributed nature of this system also provides much higher bandwidth than a central firewall solution. @@ -74,9 +74,9 @@ You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*, or on a *Node* -> *Firewall*), or you can edit the configuration files directly using your preferred editor. -Firewall configuration files contains sections of key-value +Firewall configuration files contain sections of key-value pairs. Lines beginning with a `#` and blank lines are considered -comments. Sections starts with a header line containing the section +comments. Sections start with a header line containing the section name enclosed in `[` and `]`. @@ -404,6 +404,44 @@ If you want to see the generated iptables rules you can use: # iptables-save +Logging of firewall rules +------------------------- + +By default, logging of traffic filtered by the firewall rules is disabled. To +enable logging for the default firewall rules, the log-level for incommig and +outgoing traffic has to be set in the firewall `Options` tab for the host and/or +the VM/CT firewall. +Logging of dropped packets is rate limited to 1 packet per second in order to +reduce output to the log file. +Further, only some dropped or rejected packets are logged for the standard rules. + +// TODO: describe standard/default rules and note which of them get logged + +In order to log packets filtered by user-defined firewall rules, it is possible +to set a log-level parameter for each rule individually. +This allows to log in a fine grained manner and independent of the log-level +defined for the standard rules in the firewall `Options`. + +The log level for the rule can also be set via the firewall configuration file by +appending a `-log ` to the selected rule. +Here, `` is one of the following flags: +`nolog, emerg, alert, crit, err, warning, notice, info, debug` + +For example, the following two are ident: + +---- +IN REJECT -p icmp -log nolog +IN REJECT -p icmp +---- + +whereas + +---- +IN REJECT -p icmp -log debug +---- + +produces a log output flagged with the `debug` level. + Tips and Tricks ---------------