From a34d23e8cc1bd87b1368c52cc066eaeea425f078 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller Date: Fri, 25 Mar 2016 09:28:10 +0100 Subject: [PATCH] firewall: more complete description of the ipfilter-net* sets --- pve-firewall.adoc | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/pve-firewall.adoc b/pve-firewall.adoc index 36a4f3c..3ec1d30 100644 --- a/pve-firewall.adoc +++ b/pve-firewall.adoc @@ -263,10 +263,21 @@ Traffic from these ips is dropped by every host's and VM's firewall. 213.87.123.0/24 ---- -Standard IP set 'ipfilter' -^^^^^^^^^^^^^^^^^^^^^^^^^^ +Standard IP set 'ipfilter-net*' +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -This ipset is used to prevent ip spoofing +These filters belong to a VM's network interface and are mainly used to prevent +IP spoofing. If such a set exists for an interface then any outgoing traffic +with a source IP not matching its interface's corresponding ipfilter set will +be dropped. + +For containers with configured IP addresses these sets, if they exist (or are +activated via the general `IP Filter` option in the VM's firewall's 'options' +tab), implicitly contain the associated IP addresses. + +For both virtual machines and containers they also implicitly contain the +standard MAC-derived IPv6 link-local address in order to allow the neighbor +discovery protocol to work. ---- /etc/pve/firewall/.fw -- 2.39.2