X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pve-firewall.adoc;h=6019f95c0295d940ba59fbdc604b8203d63ebabf;hp=19d9766e8a8e0cf918e79e7397553c0789f26176;hb=7e2fdb3dfdd79fb37449fd4e69f8e4c605e67361;hpb=e300cf7dabefee4420ff2be46bf64d0c38a52d8a diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 19d9766..6019f95 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -1,15 +1,17 @@ ifdef::manvolnum[] -PVE({manvolnum}) -================ +PVE(8) +====== include::attributes.txt[] +:pve-toplevel: + NAME ---- pve-firewall - PVE Firewall Daemon -SYNOPSYS +SYNOPSIS -------- include::pve-firewall.8-synopsis.adoc[] @@ -25,7 +27,12 @@ ifndef::manvolnum[] include::attributes.txt[] endif::manvolnum[] -Proxmox VE Firewall provides an easy way to protect your IT +ifdef::wiki[] +:pve-toplevel: +:title: Firewall +endif::wiki[] + +{pve} Firewall provides an easy way to protect your IT infrastructure. You can setup firewall rules for all hosts inside a cluster, or define rules for virtual machines and containers. Features like firewall macros, security groups, IP sets @@ -458,68 +465,6 @@ NFQUEUE=0 ---- -Avoiding `link-local` Addresses on `tap` and `veth` Devices -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -With IPv6 enabled by default every interface gets a MAC-derived link local -address. However, most devices on a typical {pve} setup are connected to a -bridge and so the bridge is the only interface which really needs one. - -To disable a link local address on an interface you can set the interface's -`disable_ipv6` sysconf variable. Despite the name, this does not prevent IPv6 -traffic from passing through the interface when routing or bridging, so the -only noticeable effect will be the removal of the link local address. - -The easiest method of achieving this setting for all newly started VMs is to -set it for the `default` interface configuration and enabling it explicitly on -the interfaces which need it. This is also the case for other settings such as -`forwarding`, `accept_ra` or `autoconf`. - -Here's a possible setup: ----- -# /etc/sysconf.d/90-ipv6.conf - -net.ipv6.conf.default.forwarding = 0 -net.ipv6.conf.default.proxy_ndp = 0 -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.default.disable_ipv6 = 1 -net.ipv6.conf.default.accept_ra = 0 - -net.ipv6.conf.lo.disable_ipv6 = 0 ----- - ----- -# /etc/network/interfaces -(...) -# Dual stack: -iface vmbr0 inet static - address 1.2.3.4 - netmask 255.255.255.128 - gateway 1.2.3.5 -iface vmbr0 inet6 static - address fc00::31 - netmask 16 - gateway fc00::1 - accept_ra 0 - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 - -# With IPv6-only 'pre-up' is too early and 'up' is too late. -# Work around this by creating the bridge manually -iface vmbr1 inet manual - pre-up ip link add $IFACE type bridge - up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 -iface vmbr1 inet6 static - address fc00:b:3::1 - netmask 96 - bridge_ports none - bridge_stp off - bridge_fd 0 - bridge_vlan_aware yes - accept_ra 0 -(...) ----- - - Notes on IPv6 ------------- @@ -546,8 +491,8 @@ corresponding link local addresses. (See the <> section for details.) -Ports used by Proxmox VE ------------------------- +Ports used by {pve} +------------------- * Web interface: 8006 * VNC Web console: 5900-5999