X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pve-firewall.adoc;h=307966fa13927b6bd9a6ace007f1f89b0e12f283;hp=2f18e8ec938a21c59f47d837b86d5956cf5765f3;hb=696fb448dc961b76926b8f656f0b192e537a1fba;hpb=5f34196dc151201d3bb3b4c53662f3a9cef3897b diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 2f18e8e..307966f 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -1,7 +1,7 @@ -include::attributes.txt[] ifdef::manvolnum[] PVE({manvolnum}) ================ +include::attributes.txt[] NAME ---- @@ -22,6 +22,7 @@ endif::manvolnum[] ifndef::manvolnum[] {pve} Firewall ============== +include::attributes.txt[] endif::manvolnum[] // Copied from pve wiki: Revision as of 08:45, 9 November 2015 @@ -120,48 +121,57 @@ This is useful if you want to overwrite rules from 'cluster.fw' config. You can also increase log verbosity, and set netfilter related options. -Enabling Firewall for VMs and Containers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Enabling the Firewall for VMs and Containers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -You need to enable the firewall on the virtual network interface configuration. +You need to enable the firewall on the virtual network interface configuration +in addition to the general 'Enable Firewall' option in the 'Options' tab. Firewall Rules ~~~~~~~~~~~~~~ -Any firewall rule consists of a direction (`IN` or `OUT`) and an -action (`ACCEPT`, `DENY`, `REJECT`). Additional options can be used to -refine rule matches. Here are some examples: +Firewall rules consists of a direction (`IN` or `OUT`) and an +action (`ACCEPT`, `DENY`, `REJECT`). You can also specify a macro +name. Macros contain predifined sets of rules and options. Rules can be disabled by prefixing them with '|'. +.Firewall rules syntax ---- [RULES] -#TYPE ACTION [OPTIONS] -#TYPE MACRO(ACTION) [OPTIONS] +DIRECTION ACTION [OPTIONS] +|DIRECTION ACTION [OPTIONS] # disabled rule + +DIRECTION MACRO(ACTION) [OPTIONS] # use predefined macro +---- + +The following options can be used to refine rule matches. + +include::pve-firewall-rules-opts.adoc[] -# -i -# -source -# -dest -# -p -# -dport -# -sport +Here are some examples: +---- +[RULES] IN SSH(ACCEPT) -i net0 IN SSH(ACCEPT) -i net0 # a comment -IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 +IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 # accept SSH for ip range IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for ip list -IN SSH(ACCEPT) -i net0 -source +mynetgroup # accept ssh for ipset mynetgroup -IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias +IN SSH(ACCEPT) -i net0 -source +mynetgroup # accept ssh for ipset mynetgroup +IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias |IN SSH(ACCEPT) -i net0 # disabled rule + +IN DROP # drop all incoming packages +OUT ACCEPT # accept all outgoing packages ---- Security Groups ~~~~~~~~~~~~~~~ -A security group is a group a rules, defined at cluster level, which -can be used in all VMs rules. For example you can define a group named -`webserver` with rules to open http and https ports. +A security group is a collection of rules, defined at cluster level, which +can be used in all VMs' rules. For example you can define a group named +`webserver` with rules to open the http and https ports. ---- # /etc/pve/firewall/cluster.fw @@ -171,7 +181,7 @@ IN ACCEPT -p tcp -dport 80 IN ACCEPT -p tcp -dport 443 ---- -Then, you can add this group in a vm firewall +Then, you can add this group to a VM's firewall ---- # /etc/pve/firewall/.fw @@ -184,7 +194,7 @@ GROUP webserver IP Aliases ~~~~~~~~~~ -IP Aliases allows you to associate IP addresses of Networks with a +IP Aliases allow you to associate IP addresses of networks with a name. You can then refer to those names: * inside IP set definitions @@ -205,7 +215,7 @@ using detected local_network: 192.168.0.0/20 ---- The firewall automatically sets up rules to allow everything needed -for cluster communication (corosync, API, SSH). +for cluster communication (corosync, API, SSH) using this alias. The user can overwrite these values in the cluster.fw alias section. If you use a single host on a public network, it is better to @@ -221,7 +231,7 @@ IP Sets ~~~~~~~ IP sets can be used to define groups of networks and hosts. You can -refer to them with `+name` in firewall rules `source` and `dest` +refer to them with `+name` in the firewall rules' `source` and `dest` properties. The following example allows HTTP traffic from the `management` IP @@ -251,7 +261,7 @@ communication. (multicast,ssh,...) Standard IP set 'blacklist' ^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Traffic from those ips is dropped in all hosts and VMs firewalls. +Traffic from these ips is dropped by every host's and VM's firewall. ---- # /etc/pve/firewall/cluster.fw @@ -261,10 +271,22 @@ Traffic from those ips is dropped in all hosts and VMs firewalls. 213.87.123.0/24 ---- -Standard IP set 'ipfilter' -^^^^^^^^^^^^^^^^^^^^^^^^^^ +[[ipfilter-section]] +Standard IP set 'ipfilter-net*' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This ipset is used to prevent ip spoofing +These filters belong to a VM's network interface and are mainly used to prevent +IP spoofing. If such a set exists for an interface then any outgoing traffic +with a source IP not matching its interface's corresponding ipfilter set will +be dropped. + +For containers with configured IP addresses these sets, if they exist (or are +activated via the general `IP Filter` option in the VM's firewall's 'options' +tab), implicitly contain the associated IP addresses. + +For both virtual machines and containers they also implicitly contain the +standard MAC-derived IPv6 link-local address in order to allow the neighbor +discovery protocol to work. ---- /etc/pve/firewall/.fw @@ -356,3 +378,69 @@ ifdef::manvolnum[] include::copyright.adoc[] endif::manvolnum[] +Notes on IPv6 +^^^^^^^^^^^^^ + +The firewall contains a few IPv6 specific options. One thing to note is that +IPv6 does not use the ARP protocol anymore, and instead uses NDP (Neighbor +Discovery Protocol) which works on IP level and thus needs IP addresses to +succeed. For this purpose link-local addresses derived from the interface's MAC +address are used. By default the 'NDP' option is enabled on both host and VM +level to allow neighbor discovery (NDP) packets to be sent and received. + +Beside neighbor discovery NDP is also used for a couple of other things, like +autoconfiguration and advertising routers. + +By default VMs are allowed to send out router solicitation messages (to query +for a router), and to receive router advetisement packets. This allows them to +use stateless auto configuration. On the other hand VMs cannot advertise +themselves as routers unless the 'Allow Router Advertisement' (`radv: 1`) option +is set. + +As for the link local addresses required for NDP, there's also an 'IP Filter' +(`ipfilter: 1`) option which can be enabled which has the same effect as adding +an `ipfilter-net*` ipset for each of the VM's network interfaces containing the +corresponding link local addresses. (See the +<> section for details.) + +Avoiding link-local addresses on tap and veth devices +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +With IPv6 enabled by default every interface gets a MAC-derived link local +address. However, most devices on a typical {pve} setup are connected to a +bridge and so the bridge is the only interface which really needs one. + +To disable a link local address on an interface you can set the interface's +`disable_ipv6` sysconf variable. Despite the name, this does not prevent IPv6 +traffic from passing through the interface when routing or bridging, so the +only noticeable effect will be the removal of the link local address. + +The easiest method of achieving this setting for all newly started VMs is to +set it for the `default` interface configuration and enabling it explicitly on +the interfaces which need it. This is also the case for other settings such as +`forwarding`, `accept_ra` or `autoconf`. + +Here's a possible setup: +---- +# /etc/sysconf.d/90-ipv6.conf + +net.ipv6.conf.default.forwarding = 0 +net.ipv6.conf.default.proxy_ndp = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.default.accept_ra = 0 + +net.ipv6.conf.lo.disable_ipv6 = 0 +---- + +---- +# /etc/network/interfaces +(...) +iface vmbr0 inet6 static + address fc00::31 + netmask 16 + gateway fc00::1 + accept_ra 0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 +(...) +----