pve-firewall.adoc

   1 include::attributes.txt[]
   2 ifdef::manvolnum[]
   3 PVE({manvolnum})
   4 ================
   5
   6 NAME
   7 ----
   8
   9 pve-firewall - The PVE Firewall Daemon
  10
  11
  12 SYNOPSYS
  13 --------
  14
  15 include::pve-firewall.1-synopsis.adoc[]
  16
  17
  18 DESCRIPTION
  19 -----------
  20 endif::manvolnum[]
  21
  22 ifndef::manvolnum[]
  23 {pve} Firewall
  24 ==============
  25 endif::manvolnum[]
  26
  27 // Copied from pve wiki: Revision as of 08:45, 9 November 2015
  28
  29 Proxmox VE Firewall provides an easy way to protect your IT
  30 infrastructure. You can easily setup firewall rules for all hosts
  31 inside a cluster, or define rules for virtual machines and
  32 containers. Features like firewall macros, security groups, IP sets
  33 and aliases help making that task easier.
  34
  35 While all configuration is stored on the cluster file system, the
  36 iptables based firewall runs on each cluster node, and thus provides
  37 full isolation between virtual machines. The distributed nature of
  38 this system also provides much higher bandwidth than a central
  39 firewall solution.
  40
  41 NOTE: If you enable the firewall, all traffic is blocked by default,
  42 except WebGUI(8006) and ssh(22) from your local network.
  43
  44
  45 Zones
  46 -----
  47
  48 The Proxmox VE firewall groups the network into the following logical zones:
  49
  50 Host::
  51
  52 Traffic from/to a cluster node
  53
  54 VM::
  55
  56 Traffic from/to a specific VM
  57
  58 For each zone, you can define firewall rules for incoming and/or
  59 outgoing traffic.
  60
  61
  62 Ports used by Proxmox VE
  63 ------------------------
  64
  65 * Web interface: 8006
  66 * VNC Web console: 5900-5999
  67 * SPICE proxy: 3128
  68 * sshd (used for cluster actions): 22
  69 * rpcbind: 111
  70 *  corosync multicast (if you run a cluster): 5404, 5405 UDP
  71
  72
  73 Configuration
  74 -------------
  75
  76 All firewall related configuration is stored on the proxmox cluster
  77 file system. So those files are automatically distributed to all
  78 cluster nodes, and the 'pve-firewall' service updates the underlying
  79 iptables rules automatically on any change. Any configuration can be
  80 done using the GUI (i.e. Datacenter -> Firewall -> Options tab (tabs
  81 at the bottom of the page), or on a Node -> Firewall), so the
  82 following configuration file snippets are just for completeness.
  83
  84 Cluster wide configuration is stored at:
  85
  86  /etc/pve/firewall/cluster.fw
  87
  88 The firewall is completely disabled by default, so you need to set the
  89 enable option here:
  90
  91 ----
  92 [OPTIONS]
  93 # enable firewall (cluster wide setting, default is disabled)
  94 enable: 1
  95 ----
  96
  97 The cluster wide configuration can contain the following data:
  98
  99 * IP set definitions
 100 * Alias definitions
 101 * Security group definitions
 102 * Cluster wide firewall rules for all nodes
 103
 104 VM firewall configuration is read from:
 105
 106  /etc/pve/firewall/<VMID>.fw
 107
 108 and contains the following data:
 109
 110 * IP set definitions
 111 * Alias definitions
 112 * Firewall rules for this VM
 113 * VM specific options
 114
 115 And finally, any host related configuration is read from:
 116
 117  /etc/pve/nodes/<nodename>/host.fw
 118
 119 This is useful if you want to overwrite rules from 'cluster.fw'
 120 config. You can also increase log verbosity, and set netfilter related
 121 options.
 122
 123 Enabling Firewall for VMs and Containers
 124 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 125
 126 You need to enable the firewall on the virtual network interface configuration.
 127
 128 Firewall Rules
 129 ~~~~~~~~~~~~~~
 130
 131 Any firewall rule consists of a direction (`IN` or `OUT`) and an
 132 action (`ACCEPT`, `DENY`, `REJECT`). Additional options can be used to
 133 refine rule matches. Here are some examples:
 134
 135 ----
 136 [RULES]
 137
 138 #TYPE ACTION [OPTIONS]
 139 #TYPE MACRO(ACTION) [OPTIONS]
 140
 141 # -i      <INTERFACE>
 142 # -source <SOURCE>
 143 # -dest   <DEST>
 144 # -p      <PROTOCOL>
 145 # -dport  <DESTINATION_PORT>
 146 # -sport  <SOURCE_PORT>
 147
 148 IN SSH(ACCEPT) -i net0
 149 IN SSH(ACCEPT) -i net0 # a comment
 150 IN SSH(ACCEPT) -i net0 -source 192.168.2.192  # only allow SSH from 192.168.2.192
 151 IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 # accept SSH for ip range
 152 IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for ip list
 153 IN SSH(ACCEPT) -i net0 -source +mynetgroup   # accept ssh for ipset mynetgroup
 154 IN SSH(ACCEPT) -i net0 -source myserveralias   #accept ssh for alias myserveralias
 155
 156 |IN SSH(ACCEPT) -i net0 # disabled rule
 157 ----
 158
 159 Security Groups
 160 ~~~~~~~~~~~~~~~
 161
 162 A security group is a group a rules, defined at cluster level, which
 163 can be used in all VMs rules. For example you can define a group named
 164 `webserver` with rules to open http and https ports.
 165
 166 ----
 167 # /etc/pve/firewall/cluster.fw
 168
 169 [group webserver]
 170 IN  ACCEPT -p tcp -dport 80
 171 IN  ACCEPT -p tcp -dport 443
 172 ----
 173
 174 Then, you can add this group in a vm firewall
 175
 176 ----
 177 # /etc/pve/firewall/<VMID>.fw
 178
 179 [RULES]
 180 GROUP webserver
 181 ----
 182
 183
 184 IP Aliases
 185 ~~~~~~~~~~
 186
 187 IP Aliases allows you to associate IP addresses of Networks with a
 188 name. You can then refer to those names:
 189
 190 * inside IP set definitions
 191 * in `source` and `dest` properties of firewall rules
 192
 193 Standard IP alias `local_network`
 194 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 195
 196 This alias is automatically defined. Please use the following command
 197 to see assigned values:
 198
 199 ----
 200 # pve-firewall localnet
 201 local hostname: example
 202 local IP address: 192.168.2.100
 203 network auto detect: 192.168.0.0/20
 204 using detected local_network: 192.168.0.0/20
 205 ----
 206
 207 The firewall automatically sets up rules to allow everything needed
 208 for cluster communication (corosync, API, SSH).
 209
 210 The user can overwrite these values in the cluster.fw alias
 211 section. If you use a single host on a public network, it is better to
 212 explicitly assign the local IP address
 213
 214 ----
 215 #  /etc/pve/firewall/cluster.fw
 216 [ALIASES]
 217 local_network 1.2.3.4 # use the single ip address
 218 ----
 219
 220 IP Sets
 221 ~~~~~~~
 222
 223 IP sets can be used to define groups of networks and hosts. You can
 224 refer to them with `+name` in firewall rules `source` and `dest`
 225 properties.
 226
 227 The following example allows HTTP traffic from the `management` IP
 228 set.
 229
 230  IN HTTP(ACCEPT) -source +management
 231
 232 Standard IP set `management`
 233 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 234
 235 This IP set applies only to host firewalls (not VM firewalls).  Those
 236 ips are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
 237 SSH).
 238
 239 The local cluster network is automatically added to this IP set (alias
 240 `cluster_network`), to enable inter-host cluster
 241 communication. (multicast,ssh,...)
 242
 243 ----
 244 # /etc/pve/firewall/cluster.fw
 245
 246 [IPSET management]
 247 192.168.2.10
 248 192.168.2.10/24
 249 ----
 250
 251 Standard IP set 'blacklist'
 252 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 253
 254 Traffic from those ips is dropped in all hosts and VMs firewalls.
 255
 256 ----
 257 # /etc/pve/firewall/cluster.fw
 258
 259 [IPSET blacklist]
 260 77.240.159.182
 261 213.87.123.0/24
 262 ----
 263
 264 Standard IP set 'ipfilter'
 265 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 266
 267 This ipset is used to prevent ip spoofing
 268
 269 ----
 270 /etc/pve/firewall/<VMID>.fw
 271
 272 [IPSET ipfilter-net0] # only allow specified IPs on net0
 273 192.168.2.10
 274 ----
 275
 276 Services and Commands
 277 ~~~~~~~~~~~~~~~~~~~~~
 278
 279 The firewall runs two service daemons on each node:
 280
 281 * pvefw-logger: NFLOG daemon (ulogd replacement).
 282 * pve-firewall: updates iptables rules
 283
 284 There is also a CLI command named 'pve-firewall', which can be used to
 285 start and stop the firewall service:
 286
 287  # pve-firewall start
 288  # pve-firewall stop
 289
 290 To get the status use:
 291
 292  # pve-firewall status
 293
 294 The above command reads and compiles all firewall rules, so you will
 295 see warnings if your firewall configuration contains any errors.
 296
 297 If you want to see the generated iptables rules you can use:
 298
 299  # iptables-save
 300
 301 Tips and Tricks
 302 ~~~~~~~~~~~~~~~
 303
 304 How to allow FTP
 305 ^^^^^^^^^^^^^^^^
 306
 307 FTP is an old style protocol which uses port 21 and several other dynamic ports. So you
 308 need a rule to accept port 21. In addition, you need to load the 'ip_conntrack_ftp' module.
 309 So please run:
 310
 311  modprobe ip_conntrack_ftp
 312
 313 and add `ip_conntrack_ftp` to '/etc/modules' (so that it works after a reboot) .
 314
 315 Suricata IPS integration
 316 ^^^^^^^^^^^^^^^^^^^^^^^^
 317
 318 If you want to use the http://suricata-ids.org/[Suricata IPS]
 319 (Intrusion Prevention System), it's possible.
 320
 321 Packets will be forwarded to the IPS only after the firewall ACCEPTed
 322 them.
 323
 324 Rejected/Dropped firewall packets don't go to the IPS.
 325
 326 Install suricata on proxmox host:
 327
 328 ----
 329 # apt-get install suricata
 330 # modprobe nfnetlink_queue
 331 ----
 332
 333 Don't forget to add `nfnetlink_queue` to '/etc/modules' for next reboot.
 334
 335 Then, enable IPS for a specific VM with:
 336
 337 ----
 338 # /etc/pve/firewall/<VMID>.fw
 339
 340 [OPTIONS]
 341 ips: 1
 342 ips_queues: 0
 343 ----
 344
 345 `ips_queues` will bind a specific cpu queue for this VM.
 346
 347 Available queues are defined in
 348
 349 ----
 350 # /etc/default/suricata
 351 NFQUEUE=0
 352 ----
 353
 354
 355 ifdef::manvolnum[]
 356 include::copyright.adoc[]
 357 endif::manvolnum[]
 358