pve-firewall.adoc

   1 ifdef::manvolnum[]
   2 PVE({manvolnum})
   3 ================
   4 include::attributes.txt[]
   5
   6 NAME
   7 ----
   8
   9 pve-firewall - The PVE Firewall Daemon
  10
  11
  12 SYNOPSYS
  13 --------
  14
  15 include::pve-firewall.8-synopsis.adoc[]
  16
  17
  18 DESCRIPTION
  19 -----------
  20 endif::manvolnum[]
  21
  22 ifndef::manvolnum[]
  23 {pve} Firewall
  24 ==============
  25 include::attributes.txt[]
  26 endif::manvolnum[]
  27
  28 // Copied from pve wiki: Revision as of 08:45, 9 November 2015
  29
  30 Proxmox VE Firewall provides an easy way to protect your IT
  31 infrastructure. You can easily setup firewall rules for all hosts
  32 inside a cluster, or define rules for virtual machines and
  33 containers. Features like firewall macros, security groups, IP sets
  34 and aliases help making that task easier.
  35
  36 While all configuration is stored on the cluster file system, the
  37 iptables based firewall runs on each cluster node, and thus provides
  38 full isolation between virtual machines. The distributed nature of
  39 this system also provides much higher bandwidth than a central
  40 firewall solution.
  41
  42 NOTE: If you enable the firewall, all traffic is blocked by default,
  43 except WebGUI(8006) and ssh(22) from your local network.
  44
  45
  46 Zones
  47 -----
  48
  49 The Proxmox VE firewall groups the network into the following logical zones:
  50
  51 Host::
  52
  53 Traffic from/to a cluster node
  54
  55 VM::
  56
  57 Traffic from/to a specific VM
  58
  59 For each zone, you can define firewall rules for incoming and/or
  60 outgoing traffic.
  61
  62
  63 Ports used by Proxmox VE
  64 ------------------------
  65
  66 * Web interface: 8006
  67 * VNC Web console: 5900-5999
  68 * SPICE proxy: 3128
  69 * sshd (used for cluster actions): 22
  70 * rpcbind: 111
  71 *  corosync multicast (if you run a cluster): 5404, 5405 UDP
  72
  73
  74 Configuration
  75 -------------
  76
  77 All firewall related configuration is stored on the proxmox cluster
  78 file system. So those files are automatically distributed to all
  79 cluster nodes, and the 'pve-firewall' service updates the underlying
  80 iptables rules automatically on any change. Any configuration can be
  81 done using the GUI (i.e. Datacenter -> Firewall -> Options tab (tabs
  82 at the bottom of the page), or on a Node -> Firewall), so the
  83 following configuration file snippets are just for completeness.
  84
  85 Cluster wide configuration is stored at:
  86
  87  /etc/pve/firewall/cluster.fw
  88
  89 The firewall is completely disabled by default, so you need to set the
  90 enable option here:
  91
  92 ----
  93 [OPTIONS]
  94 # enable firewall (cluster wide setting, default is disabled)
  95 enable: 1
  96 ----
  97
  98 The cluster wide configuration can contain the following data:
  99
 100 * IP set definitions
 101 * Alias definitions
 102 * Security group definitions
 103 * Cluster wide firewall rules for all nodes
 104
 105 VM firewall configuration is read from:
 106
 107  /etc/pve/firewall/<VMID>.fw
 108
 109 and contains the following data:
 110
 111 * IP set definitions
 112 * Alias definitions
 113 * Firewall rules for this VM
 114 * VM specific options
 115
 116 And finally, any host related configuration is read from:
 117
 118  /etc/pve/nodes/<nodename>/host.fw
 119
 120 This is useful if you want to overwrite rules from 'cluster.fw'
 121 config. You can also increase log verbosity, and set netfilter related
 122 options.
 123
 124 Enabling Firewall for VMs and Containers
 125 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 126
 127 You need to enable the firewall on the virtual network interface configuration.
 128
 129 Firewall Rules
 130 ~~~~~~~~~~~~~~
 131
 132 Any firewall rule consists of a direction (`IN` or `OUT`) and an
 133 action (`ACCEPT`, `DENY`, `REJECT`). Additional options can be used to
 134 refine rule matches. Here are some examples:
 135
 136 ----
 137 [RULES]
 138
 139 #TYPE ACTION [OPTIONS]
 140 #TYPE MACRO(ACTION) [OPTIONS]
 141
 142 # -i      <INTERFACE>
 143 # -source <SOURCE>
 144 # -dest   <DEST>
 145 # -p      <PROTOCOL>
 146 # -dport  <DESTINATION_PORT>
 147 # -sport  <SOURCE_PORT>
 148
 149 IN SSH(ACCEPT) -i net0
 150 IN SSH(ACCEPT) -i net0 # a comment
 151 IN SSH(ACCEPT) -i net0 -source 192.168.2.192  # only allow SSH from 192.168.2.192
 152 IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 # accept SSH for ip range
 153 IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for ip list
 154 IN SSH(ACCEPT) -i net0 -source +mynetgroup   # accept ssh for ipset mynetgroup
 155 IN SSH(ACCEPT) -i net0 -source myserveralias   #accept ssh for alias myserveralias
 156
 157 |IN SSH(ACCEPT) -i net0 # disabled rule
 158 ----
 159
 160 Security Groups
 161 ~~~~~~~~~~~~~~~
 162
 163 A security group is a group a rules, defined at cluster level, which
 164 can be used in all VMs rules. For example you can define a group named
 165 `webserver` with rules to open http and https ports.
 166
 167 ----
 168 # /etc/pve/firewall/cluster.fw
 169
 170 [group webserver]
 171 IN  ACCEPT -p tcp -dport 80
 172 IN  ACCEPT -p tcp -dport 443
 173 ----
 174
 175 Then, you can add this group in a vm firewall
 176
 177 ----
 178 # /etc/pve/firewall/<VMID>.fw
 179
 180 [RULES]
 181 GROUP webserver
 182 ----
 183
 184
 185 IP Aliases
 186 ~~~~~~~~~~
 187
 188 IP Aliases allows you to associate IP addresses of Networks with a
 189 name. You can then refer to those names:
 190
 191 * inside IP set definitions
 192 * in `source` and `dest` properties of firewall rules
 193
 194 Standard IP alias `local_network`
 195 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 196
 197 This alias is automatically defined. Please use the following command
 198 to see assigned values:
 199
 200 ----
 201 # pve-firewall localnet
 202 local hostname: example
 203 local IP address: 192.168.2.100
 204 network auto detect: 192.168.0.0/20
 205 using detected local_network: 192.168.0.0/20
 206 ----
 207
 208 The firewall automatically sets up rules to allow everything needed
 209 for cluster communication (corosync, API, SSH).
 210
 211 The user can overwrite these values in the cluster.fw alias
 212 section. If you use a single host on a public network, it is better to
 213 explicitly assign the local IP address
 214
 215 ----
 216 #  /etc/pve/firewall/cluster.fw
 217 [ALIASES]
 218 local_network 1.2.3.4 # use the single ip address
 219 ----
 220
 221 IP Sets
 222 ~~~~~~~
 223
 224 IP sets can be used to define groups of networks and hosts. You can
 225 refer to them with `+name` in firewall rules `source` and `dest`
 226 properties.
 227
 228 The following example allows HTTP traffic from the `management` IP
 229 set.
 230
 231  IN HTTP(ACCEPT) -source +management
 232
 233 Standard IP set `management`
 234 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 235
 236 This IP set applies only to host firewalls (not VM firewalls).  Those
 237 ips are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
 238 SSH).
 239
 240 The local cluster network is automatically added to this IP set (alias
 241 `cluster_network`), to enable inter-host cluster
 242 communication. (multicast,ssh,...)
 243
 244 ----
 245 # /etc/pve/firewall/cluster.fw
 246
 247 [IPSET management]
 248 192.168.2.10
 249 192.168.2.10/24
 250 ----
 251
 252 Standard IP set 'blacklist'
 253 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
 254
 255 Traffic from those ips is dropped in all hosts and VMs firewalls.
 256
 257 ----
 258 # /etc/pve/firewall/cluster.fw
 259
 260 [IPSET blacklist]
 261 77.240.159.182
 262 213.87.123.0/24
 263 ----
 264
 265 Standard IP set 'ipfilter'
 266 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 267
 268 This ipset is used to prevent ip spoofing
 269
 270 ----
 271 /etc/pve/firewall/<VMID>.fw
 272
 273 [IPSET ipfilter-net0] # only allow specified IPs on net0
 274 192.168.2.10
 275 ----
 276
 277 Services and Commands
 278 ~~~~~~~~~~~~~~~~~~~~~
 279
 280 The firewall runs two service daemons on each node:
 281
 282 * pvefw-logger: NFLOG daemon (ulogd replacement).
 283 * pve-firewall: updates iptables rules
 284
 285 There is also a CLI command named 'pve-firewall', which can be used to
 286 start and stop the firewall service:
 287
 288  # pve-firewall start
 289  # pve-firewall stop
 290
 291 To get the status use:
 292
 293  # pve-firewall status
 294
 295 The above command reads and compiles all firewall rules, so you will
 296 see warnings if your firewall configuration contains any errors.
 297
 298 If you want to see the generated iptables rules you can use:
 299
 300  # iptables-save
 301
 302 Tips and Tricks
 303 ~~~~~~~~~~~~~~~
 304
 305 How to allow FTP
 306 ^^^^^^^^^^^^^^^^
 307
 308 FTP is an old style protocol which uses port 21 and several other dynamic ports. So you
 309 need a rule to accept port 21. In addition, you need to load the 'ip_conntrack_ftp' module.
 310 So please run:
 311
 312  modprobe ip_conntrack_ftp
 313
 314 and add `ip_conntrack_ftp` to '/etc/modules' (so that it works after a reboot) .
 315
 316 Suricata IPS integration
 317 ^^^^^^^^^^^^^^^^^^^^^^^^
 318
 319 If you want to use the http://suricata-ids.org/[Suricata IPS]
 320 (Intrusion Prevention System), it's possible.
 321
 322 Packets will be forwarded to the IPS only after the firewall ACCEPTed
 323 them.
 324
 325 Rejected/Dropped firewall packets don't go to the IPS.
 326
 327 Install suricata on proxmox host:
 328
 329 ----
 330 # apt-get install suricata
 331 # modprobe nfnetlink_queue
 332 ----
 333
 334 Don't forget to add `nfnetlink_queue` to '/etc/modules' for next reboot.
 335
 336 Then, enable IPS for a specific VM with:
 337
 338 ----
 339 # /etc/pve/firewall/<VMID>.fw
 340
 341 [OPTIONS]
 342 ips: 1
 343 ips_queues: 0
 344 ----
 345
 346 `ips_queues` will bind a specific cpu queue for this VM.
 347
 348 Available queues are defined in
 349
 350 ----
 351 # /etc/default/suricata
 352 NFQUEUE=0
 353 ----
 354
 355
 356 ifdef::manvolnum[]
 357 include::copyright.adoc[]
 358 endif::manvolnum[]
 359