X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pve-firewall.adoc;h=b759b9126b7f453dbd2cd5c71d3267e96e36fd0f;hb=acb4a8998f61408120eb4fb1acfd97b4d7f036a0;hp=7089778ccf86e304e8adb987fa370fae6bac5750;hpb=b92c45ab817375dba8aaf2cb0a01909aada2929c;p=pve-docs.git diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 7089778..b759b91 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -84,7 +84,7 @@ name enclosed in `[` and `]`. Cluster Wide Setup ~~~~~~~~~~~~~~~~~~ -The cluster wide firewall configuration is stored at: +The cluster-wide firewall configuration is stored at: /etc/pve/firewall/cluster.fw @@ -92,13 +92,13 @@ The configuration can contain the following sections: `[OPTIONS]`:: -This is used to set cluster wide firewall options. +This is used to set cluster-wide firewall options. include::pve-firewall-cluster-opts.adoc[] `[RULES]`:: -This sections contains cluster wide firewall rules for all nodes. +This sections contains cluster-wide firewall rules for all nodes. `[IPSET ]`:: @@ -121,7 +121,7 @@ set the enable option here: ---- [OPTIONS] -# enable firewall (cluster wide setting, default is disabled) +# enable firewall (cluster-wide setting, default is disabled) enable: 1 ---- @@ -475,7 +475,7 @@ Logging of firewall rules ------------------------- By default, all logging of traffic filtered by the firewall rules is disabled. -To enable logging, the `loglevel` for incommig and/or outgoing traffic has to be +To enable logging, the `loglevel` for incoming and/or outgoing traffic has to be set in *Firewall* -> *Options*. This can be done for the host as well as for the VM/CT firewall individually. By this, logging of {PVE}'s standard firewall rules is enabled and the output can be observed in *Firewall* -> *Log*. @@ -528,7 +528,7 @@ Further, the log-level can also be set via the firewall configuration file by appending a `-log ` to the selected rule (see xref:pve_firewall_log_levels[possible log-levels]). -For example, the following two are ident: +For example, the following two are identical: ---- IN REJECT -p icmp -log nolog @@ -562,7 +562,7 @@ and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot). Suricata IPS integration ~~~~~~~~~~~~~~~~~~~~~~~~ -If you want to use the http://suricata-ids.org/[Suricata IPS] +If you want to use the https://suricata-ids.org/[Suricata IPS] (Intrusion Prevention System), it's possible. Packets will be forwarded to the IPS only after the firewall ACCEPTed