X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pve-firewall.adoc;h=ec0db307fd9b7ed7bb8434cdc2cccdbe7ee64277;hb=a39cf740e1907962a745b1ed64e6d083b934c326;hp=154c907db1ef82c32cfb6f54c07fca8fc9e78789;hpb=8c1189b640ae7d10119ff1c046580f48749d38bd;p=pve-docs.git diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 154c907..ec0db30 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -25,11 +25,11 @@ ifndef::manvolnum[] include::attributes.txt[] endif::manvolnum[] -Proxmox VE Firewall provides an easy way to protect your IT +{pve} Firewall provides an easy way to protect your IT infrastructure. You can setup firewall rules for all hosts inside a cluster, or define rules for virtual machines and containers. Features like firewall macros, security groups, IP sets -and aliases helps to make that task easier. +and aliases help to make that task easier. While all configuration is stored on the cluster file system, the `iptables`-based firewall runs on each cluster node, and thus provides @@ -67,8 +67,8 @@ file system. So those files are automatically distributed to all cluster nodes, and the `pve-firewall` service updates the underlying `iptables` rules automatically on changes. -You can configure anything using the GUI (i.e. Datacenter -> Firewall, -or on a Node -> Firewall), or you can edit the configuration files +You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*, +or on a *Node* -> *Firewall*), or you can edit the configuration files directly using your preferred editor. Firewall configuration files contains sections of key-value @@ -139,7 +139,7 @@ To simplify that task, you can instead create an IPSet called firewall rules to access the GUI from remote. -Host specific Configuration +Host Specific Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Host related configuration is read from: @@ -161,7 +161,7 @@ include::pve-firewall-host-opts.adoc[] This sections contains host specific firewall rules. -VM/Container configuration +VM/Container Configuration ~~~~~~~~~~~~~~~~~~~~~~~~~~ VM firewall configuration is read from: @@ -276,7 +276,8 @@ name. You can then refer to those names: * inside IP set definitions * in `source` and `dest` properties of firewall rules -Standard IP alias `local_network` + +Standard IP Alias `local_network` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This alias is automatically defined. Please use the following command @@ -303,6 +304,7 @@ explicitly assign the local IP address local_network 1.2.3.4 # use the single ip address ---- + IP Sets ------- @@ -315,11 +317,12 @@ set. IN HTTP(ACCEPT) -source +management + Standard IP set `management` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This IP set applies only to host firewalls (not VM firewalls). Those -ips are allowed to do normal management tasks (PVE GUI, VNC, SPICE, +IPs are allowed to do normal management tasks (PVE GUI, VNC, SPICE, SSH). The local cluster network is automatically added to this IP set (alias @@ -338,7 +341,7 @@ communication. (multicast,ssh,...) Standard IP set `blacklist` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Traffic from these ips is dropped by every host's and VM's firewall. +Traffic from these IPs is dropped by every host's and VM's firewall. ---- # /etc/pve/firewall/cluster.fw @@ -359,7 +362,7 @@ with a source IP not matching its interface's corresponding ipfilter set will be dropped. For containers with configured IP addresses these sets, if they exist (or are -activated via the general `IP Filter` option in the VM's firewall's 'options' +activated via the general `IP Filter` option in the VM's firewall's *options* tab), implicitly contain the associated IP addresses. For both virtual machines and containers they also implicitly contain the @@ -472,10 +475,11 @@ set it for the `default` interface configuration and enabling it explicitly on the interfaces which need it. This is also the case for other settings such as `forwarding`, `accept_ra` or `autoconf`. + Here's a possible setup: ----- -# /etc/sysconf.d/90-ipv6.conf +.File `/etc/sysconf.d/90-ipv6.conf` +---- net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.proxy_ndp = 0 net.ipv6.conf.default.autoconf = 0 @@ -485,8 +489,8 @@ net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.lo.disable_ipv6 = 0 ---- +.File `/etc/network/interfaces` ---- -# /etc/network/interfaces (...) # Dual stack: iface vmbr0 inet static @@ -531,7 +535,7 @@ Beside neighbor discovery NDP is also used for a couple of other things, like autoconfiguration and advertising routers. By default VMs are allowed to send out router solicitation messages (to query -for a router), and to receive router advetisement packets. This allows them to +for a router), and to receive router advertisement packets. This allows them to use stateless auto configuration. On the other hand VMs cannot advertise themselves as routers unless the ``Allow Router Advertisement'' (`radv: 1`) option is set. @@ -543,15 +547,15 @@ corresponding link local addresses. (See the <> section for details.) -Ports used by Proxmox VE ------------------------- +Ports used by {pve} +------------------- * Web interface: 8006 * VNC Web console: 5900-5999 * SPICE proxy: 3128 * sshd (used for cluster actions): 22 * rpcbind: 111 -* corosync multicast (if you run a cluster): 5404, 5405 UDP +* corosync multicast (if you run a cluster): 5404, 5405 UDP ifdef::manvolnum[]