infrastructure. You can setup firewall rules for all hosts
inside a cluster, or define rules for virtual machines and
containers. Features like firewall macros, security groups, IP sets
-and aliases helps to make that task easier.
+and aliases help to make that task easier.
While all configuration is stored on the cluster file system, the
`iptables`-based firewall runs on each cluster node, and thus provides
cluster nodes, and the `pve-firewall` service updates the underlying
`iptables` rules automatically on changes.
-You can configure anything using the GUI (i.e. Datacenter -> Firewall,
-or on a Node -> Firewall), or you can edit the configuration files
+You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*,
+or on a *Node* -> *Firewall*), or you can edit the configuration files
directly using your preferred editor.
Firewall configuration files contains sections of key-value
firewall rules to access the GUI from remote.
-Host specific Configuration
+Host Specific Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Host related configuration is read from:
This sections contains host specific firewall rules.
-VM/Container configuration
+VM/Container Configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~
VM firewall configuration is read from:
* inside IP set definitions
* in `source` and `dest` properties of firewall rules
-Standard IP alias `local_network`
+
+Standard IP Alias `local_network`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This alias is automatically defined. Please use the following command
local_network 1.2.3.4 # use the single ip address
----
+
IP Sets
-------
IN HTTP(ACCEPT) -source +management
+
Standard IP set `management`
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This IP set applies only to host firewalls (not VM firewalls). Those
-ips are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
+IPs are allowed to do normal management tasks (PVE GUI, VNC, SPICE,
SSH).
The local cluster network is automatically added to this IP set (alias
Standard IP set `blacklist`
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Traffic from these ips is dropped by every host's and VM's firewall.
+Traffic from these IPs is dropped by every host's and VM's firewall.
----
# /etc/pve/firewall/cluster.fw
be dropped.
For containers with configured IP addresses these sets, if they exist (or are
-activated via the general `IP Filter` option in the VM's firewall's 'options'
+activated via the general `IP Filter` option in the VM's firewall's *options*
tab), implicitly contain the associated IP addresses.
For both virtual machines and containers they also implicitly contain the
the interfaces which need it. This is also the case for other settings such as
`forwarding`, `accept_ra` or `autoconf`.
+
Here's a possible setup:
-----
-# /etc/sysconf.d/90-ipv6.conf
+.File `/etc/sysconf.d/90-ipv6.conf`
+----
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.proxy_ndp = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.lo.disable_ipv6 = 0
----
+.File `/etc/network/interfaces`
----
-# /etc/network/interfaces
(...)
# Dual stack:
iface vmbr0 inet static
autoconfiguration and advertising routers.
By default VMs are allowed to send out router solicitation messages (to query
-for a router), and to receive router advetisement packets. This allows them to
+for a router), and to receive router advertisement packets. This allows them to
use stateless auto configuration. On the other hand VMs cannot advertise
themselves as routers unless the ``Allow Router Advertisement'' (`radv: 1`) option
is set.
* SPICE proxy: 3128
* sshd (used for cluster actions): 22
* rpcbind: 111
-* corosync multicast (if you run a cluster): 5404, 5405 UDP
+* corosync multicast (if you run a cluster): 5404, 5405 UDP
ifdef::manvolnum[]
projects / pve-docs.git / blobdiff