X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pve-firewall.adoc;h=a7c9d240807a8c94dd482a7d20079956d317df95;hp=5c8587748a06b9c3a54f850042a5919a77127320;hb=c80b9ee6b4bfec0ecc7398a443c9c89f8783646b;hpb=5eba07434fd010e7b96459da2a5bb676a62fe8b1 diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 5c85877..a7c9d24 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -25,7 +25,7 @@ ifndef::manvolnum[] include::attributes.txt[] endif::manvolnum[] -Proxmox VE Firewall provides an easy way to protect your IT +{pve} Firewall provides an easy way to protect your IT infrastructure. You can setup firewall rules for all hosts inside a cluster, or define rules for virtual machines and containers. Features like firewall macros, security groups, IP sets @@ -67,8 +67,8 @@ file system. So those files are automatically distributed to all cluster nodes, and the `pve-firewall` service updates the underlying `iptables` rules automatically on changes. -You can configure anything using the GUI (i.e. Datacenter -> Firewall, -or on a Node -> Firewall), or you can edit the configuration files +You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*, +or on a *Node* -> *Firewall*), or you can edit the configuration files directly using your preferred editor. Firewall configuration files contains sections of key-value @@ -362,7 +362,7 @@ with a source IP not matching its interface's corresponding ipfilter set will be dropped. For containers with configured IP addresses these sets, if they exist (or are -activated via the general `IP Filter` option in the VM's firewall's 'options' +activated via the general `IP Filter` option in the VM's firewall's *options* tab), implicitly contain the associated IP addresses. For both virtual machines and containers they also implicitly contain the @@ -458,68 +458,6 @@ NFQUEUE=0 ---- -Avoiding `link-local` Addresses on `tap` and `veth` Devices -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -With IPv6 enabled by default every interface gets a MAC-derived link local -address. However, most devices on a typical {pve} setup are connected to a -bridge and so the bridge is the only interface which really needs one. - -To disable a link local address on an interface you can set the interface's -`disable_ipv6` sysconf variable. Despite the name, this does not prevent IPv6 -traffic from passing through the interface when routing or bridging, so the -only noticeable effect will be the removal of the link local address. - -The easiest method of achieving this setting for all newly started VMs is to -set it for the `default` interface configuration and enabling it explicitly on -the interfaces which need it. This is also the case for other settings such as -`forwarding`, `accept_ra` or `autoconf`. - -Here's a possible setup: ----- -# /etc/sysconf.d/90-ipv6.conf - -net.ipv6.conf.default.forwarding = 0 -net.ipv6.conf.default.proxy_ndp = 0 -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.default.disable_ipv6 = 1 -net.ipv6.conf.default.accept_ra = 0 - -net.ipv6.conf.lo.disable_ipv6 = 0 ----- - ----- -# /etc/network/interfaces -(...) -# Dual stack: -iface vmbr0 inet static - address 1.2.3.4 - netmask 255.255.255.128 - gateway 1.2.3.5 -iface vmbr0 inet6 static - address fc00::31 - netmask 16 - gateway fc00::1 - accept_ra 0 - pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 - -# With IPv6-only 'pre-up' is too early and 'up' is too late. -# Work around this by creating the bridge manually -iface vmbr1 inet manual - pre-up ip link add $IFACE type bridge - up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/disable_ipv6 -iface vmbr1 inet6 static - address fc00:b:3::1 - netmask 96 - bridge_ports none - bridge_stp off - bridge_fd 0 - bridge_vlan_aware yes - accept_ra 0 -(...) ----- - - Notes on IPv6 ------------- @@ -546,8 +484,8 @@ corresponding link local addresses. (See the <> section for details.) -Ports used by Proxmox VE ------------------------- +Ports used by {pve} +------------------- * Web interface: 8006 * VNC Web console: 5900-5999