Cluster Wide Setup
~~~~~~~~~~~~~~~~~~
-The cluster wide firewall configuration is stored at:
+The cluster-wide firewall configuration is stored at:
/etc/pve/firewall/cluster.fw
`[OPTIONS]`::
-This is used to set cluster wide firewall options.
+This is used to set cluster-wide firewall options.
include::pve-firewall-cluster-opts.adoc[]
`[RULES]`::
-This sections contains cluster wide firewall rules for all nodes.
+This sections contains cluster-wide firewall rules for all nodes.
`[IPSET <name>]`::
----
[OPTIONS]
-# enable firewall (cluster wide setting, default is disabled)
+# enable firewall (cluster-wide setting, default is disabled)
enable: 1
----
* TCP traffic from management hosts to port 3128 for connections to the SPICE
proxy
* TCP traffic from management hosts to port 22 to allow ssh access
-* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP traffic in the cluster network to ports 5405-5412 for corosync
* UDP multicast traffic in the cluster network
* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
(Time Exceeded)
* TCP connections with invalid connection state
* Broadcast, multicast and anycast traffic not related to corosync, i.e., not
- coming through port 5404 or 5405
+ coming through ports 5405-5412
* TCP traffic to port 43
* UDP traffic to ports 135 and 445
* UDP traffic to the port range 137 to 139
This drops or rejects all the traffic to the VMs, with some exceptions for
DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
configuration. The same rules for dropping/rejecting packets are inherited
-from the datacenter, while the exceptions for accepted incomming/outgoing
+from the datacenter, while the exceptions for accepted incoming/outgoing
traffic of the host do not apply.
Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
-------------------------
By default, all logging of traffic filtered by the firewall rules is disabled.
-To enable logging, the `loglevel` for incommig and/or outgoing traffic has to be
+To enable logging, the `loglevel` for incoming and/or outgoing traffic has to be
set in *Firewall* -> *Options*. This can be done for the host as well as for the
VM/CT firewall individually. By this, logging of {PVE}'s standard firewall rules
is enabled and the output can be observed in *Firewall* -> *Log*.
appending a `-log <loglevel>` to the selected rule (see
xref:pve_firewall_log_levels[possible log-levels]).
-For example, the following two are ident:
+For example, the following two are identical:
----
IN REJECT -p icmp -log nolog
Suricata IPS integration
~~~~~~~~~~~~~~~~~~~~~~~~
-If you want to use the http://suricata-ids.org/[Suricata IPS]
+If you want to use the https://suricata-ids.org/[Suricata IPS]
(Intrusion Prevention System), it's possible.
Packets will be forwarded to the IPS only after the firewall ACCEPTed
Ports used by {pve}
-------------------
-* Web interface: 8006
-* VNC Web console: 5900-5999
-* SPICE proxy: 3128
-* sshd (used for cluster actions): 22
-* rpcbind: 111
-* corosync multicast (if you run a cluster): 5404, 5405 UDP
-
+* Web interface: 8006 (TCP, HTTP/1.1 over TLS)
+* VNC Web console: 5900-5999 (TCP, WebSocket)
+* SPICE proxy: 3128 (TCP)
+* sshd (used for cluster actions): 22 (TCP)
+* rpcbind: 111 (UDP)
+* sendmail: 25 (TCP, outgoing)
+* corosync cluster traffic: 5405-5412 UDP
+* live migration (VM memory and local-disk data): 60000-60050 (TCP)
ifdef::manvolnum[]
projects / pve-docs.git / blobdiff