Cluster Wide Setup
~~~~~~~~~~~~~~~~~~
-The cluster wide firewall configuration is stored at:
+The cluster-wide firewall configuration is stored at:
/etc/pve/firewall/cluster.fw
`[OPTIONS]`::
-This is used to set cluster wide firewall options.
+This is used to set cluster-wide firewall options.
include::pve-firewall-cluster-opts.adoc[]
`[RULES]`::
-This sections contains cluster wide firewall rules for all nodes.
+This sections contains cluster-wide firewall rules for all nodes.
`[IPSET <name>]`::
----
[OPTIONS]
-# enable firewall (cluster wide setting, default is disabled)
+# enable firewall (cluster-wide setting, default is disabled)
enable: 1
----
This drops or rejects all the traffic to the VMs, with some exceptions for
DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
configuration. The same rules for dropping/rejecting packets are inherited
-from the datacenter, while the exceptions for accepted incomming/outgoing
+from the datacenter, while the exceptions for accepted incoming/outgoing
traffic of the host do not apply.
Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
Ports used by {pve}
-------------------
-* Web interface: 8006
-* VNC Web console: 5900-5999
-* SPICE proxy: 3128
-* sshd (used for cluster actions): 22
-* rpcbind: 111
-* corosync multicast (if you run a cluster): 5404, 5405 UDP
-
+* Web interface: 8006 (TCP, HTTP/1.1 over TLS)
+* VNC Web console: 5900-5999 (TCP, WebSocket)
+* SPICE proxy: 3128 (TCP)
+* sshd (used for cluster actions): 22 (TCP)
+* rpcbind: 111 (UDP)
+* sendmail: 25 (TCP, outgoing)
+* corosync cluster traffic: 5404, 5405 UDP
+* live migration (VM memory and local-disk data): 60000-60050 (TCP)
ifdef::manvolnum[]
projects / pve-docs.git / blobdiff