X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pve-firewall.adoc;h=555e90ee6789b38f6c41bf7efe0254a2ce42edac;hp=bc9df0e6ca736eec01d9992648c99fb8ff9b069f;hb=7d47064e8ac888788ad5005d2edf7c575cb73d1c;hpb=924c0ec94676ba1106a5deda1bd73827dc06e6b0 diff --git a/pve-firewall.adoc b/pve-firewall.adoc index bc9df0e..555e90e 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -231,8 +231,8 @@ Here are some examples: IN SSH(ACCEPT) -i net0 IN SSH(ACCEPT) -i net0 # a comment IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 -IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 # accept SSH for ip range -IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for ip list +IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 # accept SSH for IP range +IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for IP list IN SSH(ACCEPT) -i net0 -source +mynetgroup # accept ssh for ipset mynetgroup IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias @@ -303,7 +303,7 @@ explicitly assign the local IP address ---- # /etc/pve/firewall/cluster.fw [ALIASES] -local_network 1.2.3.4 # use the single ip address +local_network 1.2.3.4 # use the single IP address ---- [[pve_firewall_ip_sets]] @@ -404,6 +404,49 @@ If you want to see the generated iptables rules you can use: # iptables-save +Logging of firewall rules +------------------------- + +By default, logging of traffic filtered by the firewall rules is disabled. To +enable logging for the default firewall rules, the log-level for incommig and +outgoing traffic has to be set in the firewall `Options` tab for the host and/or +the VM/CT firewall. +Logging of dropped packets is rate limited to 1 packet per second in order to +reduce output to the log file. +Further, only some dropped or rejected packets are logged for the standard rules. + +In order to log packets filtered by user-defined firewall rules, it is possible +to set a log-level parameter for each rule individually. +This allows to log in a fine grained manner and independent of the log-level +defined for the standard rules. +In particular, each rule is logged independently from the log-level set for the +standard rules in the firewall `Options`. + +The log level for the rule can also be set via the firewall configuration file by +appending a `-log ` to the selected rule. +Here, `` is one of the following flags, attached to the log output: +`nolog, emerg, alert, crit, err, warning, notice, info, debug` + +For example: + +---- +IN REJECT -p icmp -log nolog +---- + +is the same as + +---- +IN REJECT -p icmp +---- + +whereas + +---- +IN REJECT -p icmp -log debug +---- + +produces a log output flagged with the `debug` level. + Tips and Tricks --------------- @@ -471,7 +514,7 @@ address are used. By default the `NDP` option is enabled on both host and VM level to allow neighbor discovery (NDP) packets to be sent and received. Beside neighbor discovery NDP is also used for a couple of other things, like -autoconfiguration and advertising routers. +auto-configuration and advertising routers. By default VMs are allowed to send out router solicitation messages (to query for a router), and to receive router advertisement packets. This allows them to