The following traffic is filtered by the default firewall configuration:
-Datacenter incomming/outgoing DROP/REJECT
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+Datacenter incoming/outgoing DROP/REJECT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-If the input/output policy for the firewall is set to DROP/REJECT, the following
-traffic is still allowed for the host:
+If the input or output policy for the firewall is set to DROP or REJECT, the
+following traffic is still allowed for all {pve} hosts in the cluster:
* traffic over the loopback interface
* already established connections
-* traffic using the igmp protocol
-* tcp traffic from management hosts to port 8006 in order to allow access to
-the web interface
-* tcp traffic from management hosts to the port range 5900 to 5999 allowing
-traffic for the VNC web console
-* tcp traffic from management hosts to port 3128 for connections to the SPICE
-proxy
-* tcp traffic from management hosts to port 22 to allow ssh access
-* udp traffic in the cluster network to port 5404 and 5405 for corosync
-* udp multicast traffic in the cluster network
-* icmp traffic type 3,4 or 11
+* traffic using the IGMP protocol
+* TCP traffic from management hosts to port 8006 in order to allow access to
+ the web interface
+* TCP traffic from management hosts to the port range 5900 to 5999 allowing
+ traffic for the VNC web console
+* TCP traffic from management hosts to port 3128 for connections to the SPICE
+ proxy
+* TCP traffic from management hosts to port 22 to allow ssh access
+* UDP traffic in the cluster network to port 5404 and 5405 for corosync
+* UDP multicast traffic in the cluster network
+* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
+ (Time Exceeded)
The following traffic is dropped, but not logged even with logging enabled:
-* tcp connections with invalid connection state
-* Broad-, multi- and anycast traffic not related to corosync
-* tcp traffic to port 43
-* udp traffic to ports 135 and 445
-* udp traffic to the port range 137 to 139
-* udp traffic form source port 137 to port range 1024 to 65535
-* udp traffic to port 1900
-* tcp traffic to port 135, 139 and 445
-* udp traffic originating from source port 53
-
-The rest of the traffic is dropped/rejected and logged.
+* TCP connections with invalid connection state
+* Broadcast, multicast and anycast traffic not related to corosync, i.e., not
+ coming through port 5404 or 5405
+* TCP traffic to port 43
+* UDP traffic to ports 135 and 445
+* UDP traffic to the port range 137 to 139
+* UDP traffic form source port 137 to port range 1024 to 65535
+* UDP traffic to port 1900
+* TCP traffic to port 135, 139 and 445
+* UDP traffic originating from source port 53
+
+The rest of the traffic is dropped or rejected, respectively, and also logged.
This may vary depending on the additional options enabled in
*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.
-Please inspect the output of
+[[pve_firewall_iptables_inspect]]
+Please inspect the output of the
+----
# iptables-save
+----
-to see the firewall chains and rules active on your system.
-
-VM/CT incomming/outgoing DROP/REJECT
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This drops/rejects all the traffic to the VMs, with some exceptions for DHCP, NDP,
-Router Advertisement, MAC and IP filtering depending on the set configuration.
-The same rules for dropping/rejecting packets are inherited from the datacenter,
-while the exceptions for accepted incomming/outgoing traffic of the host do not
-apply.
+system command to see the firewall chains and rules active on your system.
+This output is also included in a `System Report`, accessible over a node's
+subscription tab in the web GUI, or through the `pvereport` command line tool.
-Again, please inspect the output of
+VM/CT incoming/outgoing DROP/REJECT
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- # iptables-save
+This drops or rejects all the traffic to the VMs, with some exceptions for
+DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
+configuration. The same rules for dropping/rejecting packets are inherited
+from the datacenter, while the exceptions for accepted incomming/outgoing
+traffic of the host do not apply.
-to see in detail the firewall chains and rules active for the VMs/CTs.
+Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
+to inspect all rules and chains applied.
Logging of firewall rules
-------------------------
[width="25%", options="header"]
|===================
| loglevel | LOGID
-| nolog | no log
+| nolog | --
| emerg | 0
| alert | 1
| crit | 2
projects / pve-docs.git / commitdiff