-include::attributes.txt[]
ifdef::manvolnum[]
PVE({manvolnum})
================
+include::attributes.txt[]
NAME
----
SYNOPSYS
--------
-include::pve-firewall.1-synopsis.adoc[]
+include::pve-firewall.8-synopsis.adoc[]
DESCRIPTION
ifndef::manvolnum[]
{pve} Firewall
==============
+include::attributes.txt[]
endif::manvolnum[]
// Copied from pve wiki: Revision as of 08:45, 9 November 2015
config. You can also increase log verbosity, and set netfilter related
options.
-Enabling Firewall for VMs and Containers
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Enabling the Firewall for VMs and Containers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-You need to enable the firewall on the virtual network interface configuration.
+You need to enable the firewall on the virtual network interface configuration
+in addition to the general 'Enable Firewall' option in the 'Options' tab.
Firewall Rules
~~~~~~~~~~~~~~
Security Groups
~~~~~~~~~~~~~~~
-A security group is a group a rules, defined at cluster level, which
-can be used in all VMs rules. For example you can define a group named
-`webserver` with rules to open http and https ports.
+A security group is a collection of rules, defined at cluster level, which
+can be used in all VMs' rules. For example you can define a group named
+`webserver` with rules to open the http and https ports.
----
# /etc/pve/firewall/cluster.fw
IN ACCEPT -p tcp -dport 443
----
-Then, you can add this group in a vm firewall
+Then, you can add this group to a VM's firewall
----
# /etc/pve/firewall/<VMID>.fw
IP Aliases
~~~~~~~~~~
-IP Aliases allows you to associate IP addresses of Networks with a
+IP Aliases allow you to associate IP addresses of networks with a
name. You can then refer to those names:
* inside IP set definitions
----
The firewall automatically sets up rules to allow everything needed
-for cluster communication (corosync, API, SSH).
+for cluster communication (corosync, API, SSH) using this alias.
The user can overwrite these values in the cluster.fw alias
section. If you use a single host on a public network, it is better to
~~~~~~~
IP sets can be used to define groups of networks and hosts. You can
-refer to them with `+name` in firewall rules `source` and `dest`
+refer to them with `+name` in the firewall rules' `source` and `dest`
properties.
The following example allows HTTP traffic from the `management` IP
Standard IP set 'blacklist'
^^^^^^^^^^^^^^^^^^^^^^^^^^^
-Traffic from those ips is dropped in all hosts and VMs firewalls.
+Traffic from these ips is dropped by every host's and VM's firewall.
----
# /etc/pve/firewall/cluster.fw
213.87.123.0/24
----
-Standard IP set 'ipfilter'
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+Standard IP set 'ipfilter-net*'
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+These filters belong to a VM's network interface and are mainly used to prevent
+IP spoofing. If such a set exists for an interface then any outgoing traffic
+with a source IP not matching its interface's corresponding ipfilter set will
+be dropped.
+
+For containers with configured IP addresses these sets, if they exist (or are
+activated via the general `IP Filter` option in the VM's firewall's 'options'
+tab), implicitly contain the associated IP addresses.
-This ipset is used to prevent ip spoofing
+For both virtual machines and containers they also implicitly contain the
+standard MAC-derived IPv6 link-local address in order to allow the neighbor
+discovery protocol to work.
----
/etc/pve/firewall/<VMID>.fw