pct.adoc: remove section "Container Advantage"

[pve-docs.git] / pve-firewall.adoc

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index 154c907db1ef82c32cfb6f54c07fca8fc9e78789..8f5936cec18b6728c1edb5b04a50ad9dd85ca7fb 100644 (file)
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -1,7 +1,9 @@
+[[chapter_pve_firewall]]

 ifdef::manvolnum[]
 ifdef::manvolnum[]

-PVE({manvolnum})
-================
+pve-firewall(8)
+===============

 include::attributes.txt[]
 include::attributes.txt[]

+:pve-toplevel:

 
 NAME
 ----
 
 NAME
 ----


@@ -9,7 +11,7 @@ NAME
 pve-firewall - PVE Firewall Daemon
 
 
 pve-firewall - PVE Firewall Daemon
 
 

-SYNOPSYS
+SYNOPSIS

 --------
 
 include::pve-firewall.8-synopsis.adoc[]
 --------
 
 include::pve-firewall.8-synopsis.adoc[]


@@ -18,18 +20,21 @@ include::pve-firewall.8-synopsis.adoc[]
 DESCRIPTION
 -----------
 endif::manvolnum[]
 DESCRIPTION
 -----------
 endif::manvolnum[]

-

 ifndef::manvolnum[]
 {pve} Firewall
 ==============
 include::attributes.txt[]
 ifndef::manvolnum[]
 {pve} Firewall
 ==============
 include::attributes.txt[]

+:pve-toplevel:

 endif::manvolnum[]
 endif::manvolnum[]

+ifdef::wiki[]
+:title: Firewall
+endif::wiki[]

 
 

-Proxmox VE Firewall provides an easy way to protect your IT
+{pve} Firewall provides an easy way to protect your IT

 infrastructure. You can setup firewall rules for all hosts
 inside a cluster, or define rules for virtual machines and
 containers. Features like firewall macros, security groups, IP sets
 infrastructure. You can setup firewall rules for all hosts
 inside a cluster, or define rules for virtual machines and
 containers. Features like firewall macros, security groups, IP sets

-and aliases helps to make that task easier.
+and aliases help to make that task easier.

 
 While all configuration is stored on the cluster file system, the
 `iptables`-based firewall runs on each cluster node, and thus provides
 
 While all configuration is stored on the cluster file system, the
 `iptables`-based firewall runs on each cluster node, and thus provides


@@ -67,8 +72,8 @@ file system. So those files are automatically distributed to all
 cluster nodes, and the `pve-firewall` service updates the underlying
 `iptables` rules automatically on changes.
 
 cluster nodes, and the `pve-firewall` service updates the underlying
 `iptables` rules automatically on changes.
 

-You can configure anything using the GUI (i.e. Datacenter -> Firewall,
-or on a Node -> Firewall), or you can edit the configuration files
+You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*,
+or on a *Node* -> *Firewall*), or you can edit the configuration files

 directly using your preferred editor.
 
 Firewall configuration files contains sections of key-value
 directly using your preferred editor.
 
 Firewall configuration files contains sections of key-value


@@ -77,6 +82,7 @@ comments. Sections starts with a header line containing the section
 name enclosed in `[` and `]`.
 
 
 name enclosed in `[` and `]`.
 
 

+[[pve_firewall_cluster_wide_setup]]

 Cluster Wide Setup
 ~~~~~~~~~~~~~~~~~~
 
 Cluster Wide Setup
 ~~~~~~~~~~~~~~~~~~
 


@@ -139,7 +145,8 @@ To simplify that task, you can instead create an IPSet called
 firewall rules to access the GUI from remote.
 
 
 firewall rules to access the GUI from remote.
 
 

-Host specific Configuration
+[[pve_firewall_host_specific_configuration]]
+Host Specific Configuration

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Host related configuration is read from:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Host related configuration is read from:


@@ -160,8 +167,8 @@ include::pve-firewall-host-opts.adoc[]
 
 This sections contains host specific firewall rules.
 
 
 This sections contains host specific firewall rules.
 

-
-VM/Container configuration
+[[pve_firewall_vm_container_configuration]]
+VM/Container Configuration

 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 VM firewall configuration is read from:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 VM firewall configuration is read from:


@@ -242,6 +249,7 @@ OUT ACCEPT # accept all outgoing packages
 ----
 
 
 ----
 
 

+[[pve_firewall_security_groups]]

 Security Groups
 ---------------
 
 Security Groups
 ---------------
 


@@ -266,7 +274,7 @@ Then, you can add this group to a VM's firewall
 GROUP webserver
 ----
 
 GROUP webserver
 ----
 

-
+[[pve_firewall_ip_aliases]]

 IP Aliases
 ----------
 
 IP Aliases
 ----------
 


@@ -276,7 +284,8 @@ name. You can then refer to those names:
 * inside IP set definitions
 * in `source` and `dest` properties of firewall rules
 
 * inside IP set definitions
 * in `source` and `dest` properties of firewall rules
 

-Standard IP alias `local_network`
+
+Standard IP Alias `local_network`

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 This alias is automatically defined. Please use the following command
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 This alias is automatically defined. Please use the following command


@@ -303,6 +312,7 @@ explicitly assign the local IP address
 local_network 1.2.3.4 # use the single ip address
 ----
 
 local_network 1.2.3.4 # use the single ip address
 ----
 

+[[pve_firewall_ip_sets]]

 IP Sets
 -------
 
 IP Sets
 -------
 


@@ -315,11 +325,12 @@ set.
 
  IN HTTP(ACCEPT) -source +management
 
 
  IN HTTP(ACCEPT) -source +management
 

+

 Standard IP set `management`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 This IP set applies only to host firewalls (not VM firewalls).  Those
 Standard IP set `management`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 This IP set applies only to host firewalls (not VM firewalls).  Those

-ips are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
+IPs are allowed to do normal management tasks (PVE GUI, VNC, SPICE,

 SSH).
 
 The local cluster network is automatically added to this IP set (alias
 SSH).
 
 The local cluster network is automatically added to this IP set (alias


@@ -338,7 +349,7 @@ communication. (multicast,ssh,...)
 Standard IP set `blacklist`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Standard IP set `blacklist`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

-Traffic from these ips is dropped by every host's and VM's firewall.
+Traffic from these IPs is dropped by every host's and VM's firewall.

 
 ----
 # /etc/pve/firewall/cluster.fw
 
 ----
 # /etc/pve/firewall/cluster.fw


@@ -349,7 +360,7 @@ Traffic from these ips is dropped by every host's and VM's firewall.
 ----
 
 
 ----
 
 

-[[ipfilter-section]]
+[[pve_firewall_ipfilter_section]]

 Standard IP set `ipfilter-net*`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Standard IP set `ipfilter-net*`
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


@@ -359,7 +370,7 @@ with a source IP not matching its interface's corresponding ipfilter set will
 be dropped.
 
 For containers with configured IP addresses these sets, if they exist (or are
 be dropped.
 
 For containers with configured IP addresses these sets, if they exist (or are

-activated via the general `IP Filter` option in the VM's firewall's 'options'
+activated via the general `IP Filter` option in the VM's firewall's *options*

 tab), implicitly contain the associated IP addresses.
 
 For both virtual machines and containers they also implicitly contain the
 tab), implicitly contain the associated IP addresses.
 
 For both virtual machines and containers they also implicitly contain the


@@ -455,68 +466,6 @@ NFQUEUE=0
 ----
 
 
 ----
 
 

-Avoiding `link-local` Addresses on `tap` and `veth` Devices
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-With IPv6 enabled by default every interface gets a MAC-derived link local
-address. However, most devices on a typical {pve} setup are connected to a
-bridge and so the bridge is the only interface which really needs one.
-
-To disable a link local address on an interface you can set the interface's
-`disable_ipv6` sysconf variable. Despite the name, this does not prevent IPv6
-traffic from passing through the interface when routing or bridging, so the
-only noticeable effect will be the removal of the link local address.
-
-The easiest method of achieving this setting for all newly started VMs is to
-set it for the `default` interface configuration and enabling it explicitly on
-the interfaces which need it. This is also the case for other settings such as
-`forwarding`, `accept_ra` or `autoconf`.
-
-Here's a possible setup:
-----
-# /etc/sysconf.d/90-ipv6.conf
-
-net.ipv6.conf.default.forwarding = 0
-net.ipv6.conf.default.proxy_ndp = 0
-net.ipv6.conf.default.autoconf = 0
-net.ipv6.conf.default.disable_ipv6 = 1
-net.ipv6.conf.default.accept_ra = 0
-
-net.ipv6.conf.lo.disable_ipv6 = 0
-----
-
-----
-# /etc/network/interfaces
-(...)
-# Dual stack:
-iface vmbr0 inet static
-    address 1.2.3.4
-    netmask 255.255.255.128
-    gateway 1.2.3.5
-iface vmbr0 inet6 static
-    address fc00::31
-    netmask 16
-    gateway fc00::1
-    accept_ra 0
-    pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
-
-# With IPv6-only 'pre-up' is too early and 'up' is too late.
-# Work around this by creating the bridge manually
-iface vmbr1 inet manual
-    pre-up ip link add $IFACE type bridge
-    up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6
-iface vmbr1 inet6 static
-    address fc00:b:3::1
-    netmask 96
-    bridge_ports none
-    bridge_stp off
-    bridge_fd 0
-    bridge_vlan_aware yes
-    accept_ra 0
-(...)
-----
-
-

 Notes on IPv6
 -------------
 
 Notes on IPv6
 -------------
 


@@ -531,7 +480,7 @@ Beside neighbor discovery NDP is also used for a couple of other things, like
 autoconfiguration and advertising routers.
 
 By default VMs are allowed to send out router solicitation messages (to query
 autoconfiguration and advertising routers.
 
 By default VMs are allowed to send out router solicitation messages (to query

-for a router), and to receive router advetisement packets. This allows them to
+for a router), and to receive router advertisement packets. This allows them to

 use stateless auto configuration. On the other hand VMs cannot advertise
 themselves as routers unless the ``Allow Router Advertisement'' (`radv: 1`) option
 is set.
 use stateless auto configuration. On the other hand VMs cannot advertise
 themselves as routers unless the ``Allow Router Advertisement'' (`radv: 1`) option
 is set.


@@ -540,18 +489,18 @@ As for the link local addresses required for NDP, there's also an ``IP Filter''
 (`ipfilter: 1`) option which can be enabled which has the same effect as adding
 an `ipfilter-net*` ipset for each of the VM's network interfaces containing the
 corresponding link local addresses.  (See the
 (`ipfilter: 1`) option which can be enabled which has the same effect as adding
 an `ipfilter-net*` ipset for each of the VM's network interfaces containing the
 corresponding link local addresses.  (See the

-<<ipfilter-section,Standard IP set `ipfilter-net*`>> section for details.)
+<<pve_firewall_ipfilter_section,Standard IP set `ipfilter-net*`>> section for details.)

 
 
 
 

-Ports used by Proxmox VE
-------------------------
+Ports used by {pve}
+-------------------

 
 * Web interface: 8006
 * VNC Web console: 5900-5999
 * SPICE proxy: 3128
 * sshd (used for cluster actions): 22
 * rpcbind: 111
 
 * Web interface: 8006
 * VNC Web console: 5900-5999
 * SPICE proxy: 3128
 * sshd (used for cluster actions): 22
 * rpcbind: 111

-*  corosync multicast (if you run a cluster): 5404, 5405 UDP
+* corosync multicast (if you run a cluster): 5404, 5405 UDP

 
 
 ifdef::manvolnum[]
 
 
 ifdef::manvolnum[]