X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pve-firewall.adoc;h=5f76f5deaa0f36db0f75ca31d4940a430a844a49;hp=d4c4245e5ce3b485bb336400b62f62fc88c9e8c8;hb=8e4bb2611daa64720762a9d300b729b846103672;hpb=38fd0958719a329859b3d0d719c37d5df15a2d8d diff --git a/pve-firewall.adoc b/pve-firewall.adoc index d4c4245..5f76f5d 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -6,7 +6,7 @@ include::attributes.txt[] NAME ---- -pve-firewall - The PVE Firewall Daemon +pve-firewall - PVE Firewall Daemon SYNOPSYS @@ -25,13 +25,11 @@ ifndef::manvolnum[] include::attributes.txt[] endif::manvolnum[] -// Copied from pve wiki: Revision as of 08:45, 9 November 2015 - Proxmox VE Firewall provides an easy way to protect your IT -infrastructure. You can easily setup firewall rules for all hosts +infrastructure. You can setup firewall rules for all hosts inside a cluster, or define rules for virtual machines and containers. Features like firewall macros, security groups, IP sets -and aliases help making that task easier. +and aliases helps to make that task easier. While all configuration is stored on the cluster file system, the iptables based firewall runs on each cluster node, and thus provides @@ -39,8 +37,9 @@ full isolation between virtual machines. The distributed nature of this system also provides much higher bandwidth than a central firewall solution. -NOTE: If you enable the firewall, all traffic is blocked by default, -except WebGUI(8006) and ssh(22) from your local network. +The firewall has full support for IPv4 and IPv6. IPv6 support is fully +transparent, and we filter traffic for both protocols by default. So +there is no need to maintain a different set of rules for IPv6. Zones @@ -60,34 +59,61 @@ For each zone, you can define firewall rules for incoming and/or outgoing traffic. -Ports used by Proxmox VE ------------------------- - -* Web interface: 8006 -* VNC Web console: 5900-5999 -* SPICE proxy: 3128 -* sshd (used for cluster actions): 22 -* rpcbind: 111 -* corosync multicast (if you run a cluster): 5404, 5405 UDP - - -Configuration -------------- +Configuration Files +------------------- All firewall related configuration is stored on the proxmox cluster file system. So those files are automatically distributed to all cluster nodes, and the 'pve-firewall' service updates the underlying -iptables rules automatically on any change. Any configuration can be -done using the GUI (i.e. Datacenter -> Firewall -> Options tab (tabs -at the bottom of the page), or on a Node -> Firewall), so the -following configuration file snippets are just for completeness. +iptables rules automatically on changes. + +You can configure anything using the GUI (i.e. Datacenter -> Firewall, +or on a Node -> Firewall), or you can edit the configuration files +directly using your preferred editor. -Cluster wide configuration is stored at: +Firewall configuration files contains sections of key-value +pairs. Lines beginning with a '#' and blank lines are considered +comments. Sections starts with a header line containing the section +name enclosed in '[' and ']'. + + +Cluster Wide Setup +~~~~~~~~~~~~~~~~~~ + +The cluster wide firewall configuration is stored at: /etc/pve/firewall/cluster.fw -The firewall is completely disabled by default, so you need to set the -enable option here: +The configuration can contain the following sections: + +'[OPTIONS]':: + +This is used to set cluster wide firewall options. + +include::pve-firewall-cluster-opts.adoc[] + +'[RULES]':: + +This sections contains cluster wide firewall rules for all nodes. + +'[IPSET ]':: + +Cluster wide IP set definitions. + +'[GROUP ]':: + +Cluster wide security group definitions. + +'[ALIASES]':: + +Cluster wide Alias definitions. + + +Enabling the Firewall +^^^^^^^^^^^^^^^^^^^^^ + +The firewall is completely disabled by default, so you need to +set the enable option here: ---- [OPTIONS] @@ -95,74 +121,131 @@ enable option here: enable: 1 ---- -The cluster wide configuration can contain the following data: +IMPORTANT: If you enable the firewall, traffic to all hosts is blocked by +default. Only exceptions is WebGUI(8006) and ssh(22) from your local +network. -* IP set definitions -* Alias definitions -* Security group definitions -* Cluster wide firewall rules for all nodes +If you want to administrate your {pve} hosts from remote, you +need to create rules to allow traffic from those remote IPs to the web +GUI (port 8006). You may also want to allow ssh (port 22), and maybe +SPICE (port 3128). -VM firewall configuration is read from: +TIP: Please open a SSH connection to one of your {PVE} hosts before +enabling the firewall. That way you still have access to the host if +something goes wrong . - /etc/pve/firewall/.fw +To simplify that task, you can instead create an IPSet called +'management', and add all remote IPs there. This creates all required +firewall rules to access the GUI from remote. -and contains the following data: -* IP set definitions -* Alias definitions -* Firewall rules for this VM -* VM specific options +Host specific Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~ -And finally, any host related configuration is read from: +Host related configuration is read from: /etc/pve/nodes//host.fw This is useful if you want to overwrite rules from 'cluster.fw' config. You can also increase log verbosity, and set netfilter related -options. +options. The configuration can contain the following sections: + +'[OPTIONS]':: + +This is used to set host related firewall options. + +include::pve-firewall-host-opts.adoc[] + +'[RULES]':: + +This sections contains host specific firewall rules. + + +VM/Container configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +VM firewall configuration is read from: + + /etc/pve/firewall/.fw + +and contains the following data: + +'[OPTIONS]':: + +This is used to set VM/Container related firewall options. + +include::pve-firewall-vm-opts.adoc[] + +'[RULES]':: + +This sections contains VM/Container firewall rules. + +'[IPSET ]':: + +IP set definitions. -Enabling Firewall for VMs and Containers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +'[ALIASES]':: + +IP Alias definitions. + + +Enabling the Firewall for VMs and Containers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Each virtual network device has its own firewall enable flag. So you +can selectively enable the firewall for each interface. This is +required in addition to the general firewall 'enable' option. + +The firewall requires a special network device setup, so you need to +restart the VM/container after enabling the firewall on a network +interface. -You need to enable the firewall on the virtual network interface configuration. Firewall Rules -~~~~~~~~~~~~~~ +-------------- -Any firewall rule consists of a direction (`IN` or `OUT`) and an -action (`ACCEPT`, `DENY`, `REJECT`). Additional options can be used to -refine rule matches. Here are some examples: +Firewall rules consists of a direction (`IN` or `OUT`) and an +action (`ACCEPT`, `DENY`, `REJECT`). You can also specify a macro +name. Macros contain predifined sets of rules and options. Rules can be disabled by prefixing them with '|'. +.Firewall rules syntax ---- [RULES] -#TYPE ACTION [OPTIONS] -#TYPE MACRO(ACTION) [OPTIONS] +DIRECTION ACTION [OPTIONS] +|DIRECTION ACTION [OPTIONS] # disabled rule + +DIRECTION MACRO(ACTION) [OPTIONS] # use predefined macro +---- + +The following options can be used to refine rule matches. + +include::pve-firewall-rules-opts.adoc[] -# -i -# -source -# -dest -# -p -# -dport -# -sport +Here are some examples: +---- +[RULES] IN SSH(ACCEPT) -i net0 IN SSH(ACCEPT) -i net0 # a comment -IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 +IN SSH(ACCEPT) -i net0 -source 192.168.2.192 # only allow SSH from 192.168.2.192 IN SSH(ACCEPT) -i net0 -source 10.0.0.1-10.0.0.10 # accept SSH for ip range IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for ip list -IN SSH(ACCEPT) -i net0 -source +mynetgroup # accept ssh for ipset mynetgroup -IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias +IN SSH(ACCEPT) -i net0 -source +mynetgroup # accept ssh for ipset mynetgroup +IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias |IN SSH(ACCEPT) -i net0 # disabled rule + +IN DROP # drop all incoming packages +OUT ACCEPT # accept all outgoing packages ---- Security Groups -~~~~~~~~~~~~~~~ +--------------- -A security group is a group a rules, defined at cluster level, which -can be used in all VMs rules. For example you can define a group named -`webserver` with rules to open http and https ports. +A security group is a collection of rules, defined at cluster level, which +can be used in all VMs' rules. For example you can define a group named +`webserver` with rules to open the http and https ports. ---- # /etc/pve/firewall/cluster.fw @@ -172,7 +255,7 @@ IN ACCEPT -p tcp -dport 80 IN ACCEPT -p tcp -dport 443 ---- -Then, you can add this group in a vm firewall +Then, you can add this group to a VM's firewall ---- # /etc/pve/firewall/.fw @@ -183,16 +266,16 @@ GROUP webserver IP Aliases -~~~~~~~~~~ +---------- -IP Aliases allows you to associate IP addresses of Networks with a +IP Aliases allow you to associate IP addresses of networks with a name. You can then refer to those names: * inside IP set definitions * in `source` and `dest` properties of firewall rules Standard IP alias `local_network` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This alias is automatically defined. Please use the following command to see assigned values: @@ -206,7 +289,7 @@ using detected local_network: 192.168.0.0/20 ---- The firewall automatically sets up rules to allow everything needed -for cluster communication (corosync, API, SSH). +for cluster communication (corosync, API, SSH) using this alias. The user can overwrite these values in the cluster.fw alias section. If you use a single host on a public network, it is better to @@ -219,10 +302,10 @@ local_network 1.2.3.4 # use the single ip address ---- IP Sets -~~~~~~~ +------- IP sets can be used to define groups of networks and hosts. You can -refer to them with `+name` in firewall rules `source` and `dest` +refer to them with `+name` in the firewall rules' `source` and `dest` properties. The following example allows HTTP traffic from the `management` IP @@ -231,7 +314,7 @@ set. IN HTTP(ACCEPT) -source +management Standard IP set `management` -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This IP set applies only to host firewalls (not VM firewalls). Those ips are allowed to do normal management tasks (PVE GUI, VNC, SPICE, @@ -250,9 +333,9 @@ communication. (multicast,ssh,...) ---- Standard IP set 'blacklist' -^^^^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Traffic from those ips is dropped in all hosts and VMs firewalls. +Traffic from these ips is dropped by every host's and VM's firewall. ---- # /etc/pve/firewall/cluster.fw @@ -262,10 +345,22 @@ Traffic from those ips is dropped in all hosts and VMs firewalls. 213.87.123.0/24 ---- -Standard IP set 'ipfilter' -^^^^^^^^^^^^^^^^^^^^^^^^^^ +[[ipfilter-section]] +Standard IP set 'ipfilter-net*' +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +These filters belong to a VM's network interface and are mainly used to prevent +IP spoofing. If such a set exists for an interface then any outgoing traffic +with a source IP not matching its interface's corresponding ipfilter set will +be dropped. + +For containers with configured IP addresses these sets, if they exist (or are +activated via the general `IP Filter` option in the VM's firewall's 'options' +tab), implicitly contain the associated IP addresses. -This ipset is used to prevent ip spoofing +For both virtual machines and containers they also implicitly contain the +standard MAC-derived IPv6 link-local address in order to allow the neighbor +discovery protocol to work. ---- /etc/pve/firewall/.fw @@ -274,8 +369,9 @@ This ipset is used to prevent ip spoofing 192.168.2.10 ---- + Services and Commands -~~~~~~~~~~~~~~~~~~~~~ +--------------------- The firewall runs two service daemons on each node: @@ -299,11 +395,12 @@ If you want to see the generated iptables rules you can use: # iptables-save + Tips and Tricks -~~~~~~~~~~~~~~~ +--------------- How to allow FTP -^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~ FTP is an old style protocol which uses port 21 and several other dynamic ports. So you need a rule to accept port 21. In addition, you need to load the 'ip_conntrack_ftp' module. @@ -313,8 +410,9 @@ So please run: and add `ip_conntrack_ftp` to '/etc/modules' (so that it works after a reboot) . + Suricata IPS integration -^^^^^^^^^^^^^^^^^^^^^^^^ +~~~~~~~~~~~~~~~~~~~~~~~~ If you want to use the http://suricata-ids.org/[Suricata IPS] (Intrusion Prevention System), it's possible. @@ -352,8 +450,113 @@ Available queues are defined in NFQUEUE=0 ---- +Avoiding link-local addresses on tap and veth devices +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +With IPv6 enabled by default every interface gets a MAC-derived link local +address. However, most devices on a typical {pve} setup are connected to a +bridge and so the bridge is the only interface which really needs one. + +To disable a link local address on an interface you can set the interface's +`disable_ipv6` sysconf variable. Despite the name, this does not prevent IPv6 +traffic from passing through the interface when routing or bridging, so the +only noticeable effect will be the removal of the link local address. + +The easiest method of achieving this setting for all newly started VMs is to +set it for the `default` interface configuration and enabling it explicitly on +the interfaces which need it. This is also the case for other settings such as +`forwarding`, `accept_ra` or `autoconf`. + +Here's a possible setup: +---- +# /etc/sysconf.d/90-ipv6.conf + +net.ipv6.conf.default.forwarding = 0 +net.ipv6.conf.default.proxy_ndp = 0 +net.ipv6.conf.default.autoconf = 0 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.default.accept_ra = 0 + +net.ipv6.conf.lo.disable_ipv6 = 0 +---- + +---- +# /etc/network/interfaces +(...) +# Dual stack: +iface vmbr0 inet static + address 1.2.3.4 + netmask 255.255.255.128 + gateway 1.2.3.5 +iface vmbr0 inet6 static + address fc00::31 + netmask 16 + gateway fc00::1 + accept_ra 0 + pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 + +# With IPv6-only 'pre-up' is too early and 'up' is too late. +# Work around this by creating the bridge manually +iface vmbr1 inet manual + pre-up ip link add $IFACE type bridge + up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 +iface vmbr1 inet6 static + address fc00:b:3::1 + netmask 96 + bridge_ports none + bridge_stp off + bridge_fd 0 + bridge_vlan_aware yes + accept_ra 0 +(...) +---- + + +Notes on IPv6 +------------- + +The firewall contains a few IPv6 specific options. One thing to note is that +IPv6 does not use the ARP protocol anymore, and instead uses NDP (Neighbor +Discovery Protocol) which works on IP level and thus needs IP addresses to +succeed. For this purpose link-local addresses derived from the interface's MAC +address are used. By default the 'NDP' option is enabled on both host and VM +level to allow neighbor discovery (NDP) packets to be sent and received. + +Beside neighbor discovery NDP is also used for a couple of other things, like +autoconfiguration and advertising routers. + +By default VMs are allowed to send out router solicitation messages (to query +for a router), and to receive router advetisement packets. This allows them to +use stateless auto configuration. On the other hand VMs cannot advertise +themselves as routers unless the 'Allow Router Advertisement' (`radv: 1`) option +is set. + +As for the link local addresses required for NDP, there's also an 'IP Filter' +(`ipfilter: 1`) option which can be enabled which has the same effect as adding +an `ipfilter-net*` ipset for each of the VM's network interfaces containing the +corresponding link local addresses. (See the +<> section for details.) + + +Ports used by Proxmox VE +------------------------ + +* Web interface: 8006 +* VNC Web console: 5900-5999 +* SPICE proxy: 3128 +* sshd (used for cluster actions): 22 +* rpcbind: 111 +* corosync multicast (if you run a cluster): 5404, 5405 UDP + ifdef::manvolnum[] -include::copyright.adoc[] -endif::manvolnum[] +Macro Definitions +----------------- + +include::pve-firewall-macros.adoc[] + + +include::pve-copyright.adoc[] + +endif::manvolnum[]