pcie-passthrough: add short note about iommu passthrough mode

[pve-docs.git] / pve-firewall.adoc

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 7089778ccf86e304e8adb987fa370fae6bac5750..55c8804d0f4ce40fc95dd31ad5a006775ec20303 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -84,7 +84,7 @@ name enclosed in `[` and `]`.
 Cluster Wide Setup
 ~~~~~~~~~~~~~~~~~~
 
-The cluster wide firewall configuration is stored at:
+The cluster-wide firewall configuration is stored at:
  
  /etc/pve/firewall/cluster.fw
 
@@ -92,13 +92,13 @@ The configuration can contain the following sections:
 
 `[OPTIONS]`::
 
-This is used to set cluster wide firewall options.
+This is used to set cluster-wide firewall options.
 
 include::pve-firewall-cluster-opts.adoc[]
 
 `[RULES]`::
 
-This sections contains cluster wide firewall rules for all nodes.
+This sections contains cluster-wide firewall rules for all nodes.
 
 `[IPSET <name>]`::
 
@@ -121,7 +121,7 @@ set the enable option here:
 
 ----
 [OPTIONS]
-# enable firewall (cluster wide setting, default is disabled)
+# enable firewall (cluster-wide setting, default is disabled)
 enable: 1
 ----
 
@@ -426,7 +426,7 @@ following traffic is still allowed for all {pve} hosts in the cluster:
 * TCP traffic from management hosts to port 3128 for connections to the SPICE
   proxy
 * TCP traffic from management hosts to port 22 to allow ssh access
-* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP traffic in the cluster network to ports 5405-5412 for corosync
 * UDP multicast traffic in the cluster network
 * ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
   (Time Exceeded)
@@ -435,7 +435,7 @@ The following traffic is dropped, but not logged even with logging enabled:
 
 * TCP connections with invalid connection state
 * Broadcast, multicast and anycast traffic not related to corosync, i.e., not
-  coming through port 5404 or 5405
+  coming through ports 5405-5412
 * TCP traffic to port 43
 * UDP traffic to ports 135 and 445
 * UDP traffic to the port range 137 to 139
@@ -475,7 +475,7 @@ Logging of firewall rules
 -------------------------
 
 By default, all logging of traffic filtered by the firewall rules is disabled.
-To enable logging, the `loglevel` for incommig and/or outgoing traffic has to be
+To enable logging, the `loglevel` for incoming and/or outgoing traffic has to be
 set in *Firewall* -> *Options*. This can be done for the host as well as for the
 VM/CT firewall individually. By this, logging of {PVE}'s standard firewall rules
 is enabled and the output can be observed in *Firewall* -> *Log*.
@@ -528,7 +528,7 @@ Further, the log-level can also be set via the firewall configuration file by
 appending a `-log <loglevel>` to the selected rule (see
 xref:pve_firewall_log_levels[possible log-levels]).
 
-For example, the following two are ident:
+For example, the following two are identical:
 
 ----
 IN REJECT -p icmp -log nolog
@@ -562,7 +562,7 @@ and add `ip_conntrack_ftp` to `/etc/modules` (so that it works after a reboot).
 Suricata IPS integration
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
-If you want to use the http://suricata-ids.org/[Suricata IPS]
+If you want to use the https://suricata-ids.org/[Suricata IPS]
 (Intrusion Prevention System), it's possible.
 
 Packets will be forwarded to the IPS only after the firewall ACCEPTed
@@ -634,7 +634,7 @@ Ports used by {pve}
 * sshd (used for cluster actions): 22 (TCP)
 * rpcbind: 111 (UDP)
 * sendmail: 25 (TCP, outgoing)
-* corosync cluster traffic: 5404, 5405 UDP
+* corosync cluster traffic: 5405-5412 UDP
 * live migration (VM memory and local-disk data): 60000-60050 (TCP)
 
 ifdef::manvolnum[]