X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pve-firewall.adoc;h=55c8804d0f4ce40fc95dd31ad5a006775ec20303;hb=a4c6084830b7f5e32fae9f080683e041f48834cc;hp=2bcdf6e0c93e95d7c421598e2e3b1188d215c5e7;hpb=3f41b2c5861f60c55457c32700794a6487dc992e;p=pve-docs.git diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 2bcdf6e..55c8804 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -84,7 +84,7 @@ name enclosed in `[` and `]`. Cluster Wide Setup ~~~~~~~~~~~~~~~~~~ -The cluster wide firewall configuration is stored at: +The cluster-wide firewall configuration is stored at: /etc/pve/firewall/cluster.fw @@ -92,13 +92,13 @@ The configuration can contain the following sections: `[OPTIONS]`:: -This is used to set cluster wide firewall options. +This is used to set cluster-wide firewall options. include::pve-firewall-cluster-opts.adoc[] `[RULES]`:: -This sections contains cluster wide firewall rules for all nodes. +This sections contains cluster-wide firewall rules for all nodes. `[IPSET ]`:: @@ -121,7 +121,7 @@ set the enable option here: ---- [OPTIONS] -# enable firewall (cluster wide setting, default is disabled) +# enable firewall (cluster-wide setting, default is disabled) enable: 1 ---- @@ -426,7 +426,7 @@ following traffic is still allowed for all {pve} hosts in the cluster: * TCP traffic from management hosts to port 3128 for connections to the SPICE proxy * TCP traffic from management hosts to port 22 to allow ssh access -* UDP traffic in the cluster network to port 5404 and 5405 for corosync +* UDP traffic in the cluster network to ports 5405-5412 for corosync * UDP multicast traffic in the cluster network * ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11 (Time Exceeded) @@ -435,7 +435,7 @@ The following traffic is dropped, but not logged even with logging enabled: * TCP connections with invalid connection state * Broadcast, multicast and anycast traffic not related to corosync, i.e., not - coming through port 5404 or 5405 + coming through ports 5405-5412 * TCP traffic to port 43 * UDP traffic to ports 135 and 445 * UDP traffic to the port range 137 to 139 @@ -465,7 +465,7 @@ VM/CT incoming/outgoing DROP/REJECT This drops or rejects all the traffic to the VMs, with some exceptions for DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set configuration. The same rules for dropping/rejecting packets are inherited -from the datacenter, while the exceptions for accepted incomming/outgoing +from the datacenter, while the exceptions for accepted incoming/outgoing traffic of the host do not apply. Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)] @@ -475,7 +475,7 @@ Logging of firewall rules ------------------------- By default, all logging of traffic filtered by the firewall rules is disabled. -To enable logging, the `loglevel` for incommig and/or outgoing traffic has to be +To enable logging, the `loglevel` for incoming and/or outgoing traffic has to be set in *Firewall* -> *Options*. This can be done for the host as well as for the VM/CT firewall individually. By this, logging of {PVE}'s standard firewall rules is enabled and the output can be observed in *Firewall* -> *Log*. @@ -528,7 +528,7 @@ Further, the log-level can also be set via the firewall configuration file by appending a `-log ` to the selected rule (see xref:pve_firewall_log_levels[possible log-levels]). -For example, the following two are ident: +For example, the following two are identical: ---- IN REJECT -p icmp -log nolog @@ -562,7 +562,7 @@ and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot). Suricata IPS integration ~~~~~~~~~~~~~~~~~~~~~~~~ -If you want to use the http://suricata-ids.org/[Suricata IPS] +If you want to use the https://suricata-ids.org/[Suricata IPS] (Intrusion Prevention System), it's possible. Packets will be forwarded to the IPS only after the firewall ACCEPTed @@ -628,13 +628,14 @@ corresponding link local addresses. (See the Ports used by {pve} ------------------- -* Web interface: 8006 -* VNC Web console: 5900-5999 -* SPICE proxy: 3128 -* sshd (used for cluster actions): 22 -* rpcbind: 111 -* corosync multicast (if you run a cluster): 5404, 5405 UDP - +* Web interface: 8006 (TCP, HTTP/1.1 over TLS) +* VNC Web console: 5900-5999 (TCP, WebSocket) +* SPICE proxy: 3128 (TCP) +* sshd (used for cluster actions): 22 (TCP) +* rpcbind: 111 (UDP) +* sendmail: 25 (TCP, outgoing) +* corosync cluster traffic: 5405-5412 UDP +* live migration (VM memory and local-disk data): 60000-60050 (TCP) ifdef::manvolnum[]