X-Git-Url: https://git.proxmox.com/?p=pve-docs.git;a=blobdiff_plain;f=pve-firewall.adoc;h=ec0db307fd9b7ed7bb8434cdc2cccdbe7ee64277;hp=5c8587748a06b9c3a54f850042a5919a77127320;hb=34ef065aac63f0e372510319ef4843b443c16a14;hpb=5eba07434fd010e7b96459da2a5bb676a62fe8b1 diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 5c85877..ec0db30 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -25,7 +25,7 @@ ifndef::manvolnum[] include::attributes.txt[] endif::manvolnum[] -Proxmox VE Firewall provides an easy way to protect your IT +{pve} Firewall provides an easy way to protect your IT infrastructure. You can setup firewall rules for all hosts inside a cluster, or define rules for virtual machines and containers. Features like firewall macros, security groups, IP sets @@ -67,8 +67,8 @@ file system. So those files are automatically distributed to all cluster nodes, and the `pve-firewall` service updates the underlying `iptables` rules automatically on changes. -You can configure anything using the GUI (i.e. Datacenter -> Firewall, -or on a Node -> Firewall), or you can edit the configuration files +You can configure anything using the GUI (i.e. *Datacenter* -> *Firewall*, +or on a *Node* -> *Firewall*), or you can edit the configuration files directly using your preferred editor. Firewall configuration files contains sections of key-value @@ -362,7 +362,7 @@ with a source IP not matching its interface's corresponding ipfilter set will be dropped. For containers with configured IP addresses these sets, if they exist (or are -activated via the general `IP Filter` option in the VM's firewall's 'options' +activated via the general `IP Filter` option in the VM's firewall's *options* tab), implicitly contain the associated IP addresses. For both virtual machines and containers they also implicitly contain the @@ -475,10 +475,11 @@ set it for the `default` interface configuration and enabling it explicitly on the interfaces which need it. This is also the case for other settings such as `forwarding`, `accept_ra` or `autoconf`. + Here's a possible setup: ----- -# /etc/sysconf.d/90-ipv6.conf +.File `/etc/sysconf.d/90-ipv6.conf` +---- net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.proxy_ndp = 0 net.ipv6.conf.default.autoconf = 0 @@ -488,8 +489,8 @@ net.ipv6.conf.default.accept_ra = 0 net.ipv6.conf.lo.disable_ipv6 = 0 ---- +.File `/etc/network/interfaces` ---- -# /etc/network/interfaces (...) # Dual stack: iface vmbr0 inet static @@ -546,8 +547,8 @@ corresponding link local addresses. (See the <> section for details.) -Ports used by Proxmox VE ------------------------- +Ports used by {pve} +------------------- * Web interface: 8006 * VNC Web console: 5900-5999