optimize bridge chains
[pve-firewall.git] / README
CommitLineData
f4bf58dd
DM
1Experimental software, only used for testing!
2=============================================
ec6b1100 3
5e1267a5
DM
4Note: you need to change values in /etc/sysctl.d/pve.conf to:
5
6net.bridge.bridge-nf-call-ip6tables = 1
7net.bridge.bridge-nf-call-iptables = 1
8net.bridge.bridge-nf-call-arptables = 1
9net.bridge.bridge-nf-filter-vlan-tagged = 1
10
11and reboot after that change.
12
f4bf58dd
DM
13Quick Intro
14===========
5e1267a5 15
ec6b1100
DM
16VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
17
18You can find examples in the example/ dir
19
5e1267a5
DM
20Note: All commands overwrites /etc/shorewall/, so don't use if you have
21and existing shorewall config you want to keep.
22
ec6b1100
DM
23Use the following command to generate shorewall configuration:
24
25./pvefw compile
26
5e1267a5
DM
27To compile and start the firewall:
28
29./pvefw start
30
31To compile and restart the firewall:
32
33./pvefw restart
34
35To stop the firewall:
36
37./pvefw stop
38
39To clear all iptable rules:
ec6b1100 40
f4bf58dd
DM
41./pvefw clear
42
43
44Implementation details
45======================
46
47We do not write iptables rules directly. Instead we use shorewall to
48do that low level stuff.
49
50Each VM can have its own firewall definition file in
51
52/etc/pve/firewall/<VMID>.fw
53
54That file has two sections for inbound [IN] and outbound [OUT] traffic.
55
56Format is: ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
57
58* ACTION: shorewall action
59* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
60* SOURCE: source IP address, or '-' for any source
61* DEST: dest IP address, or '-' for any destination address
62* PROTO: see /etc/protocols
63* D-PORT: destination port
64* S-PORT: source port
65
b486ed3b
DM
66We translate those rules into an appropriate shorewall configuration.
67
68There are a number of restrictions when using iptables to filter
69bridged traffic. Shorewall reflects that by applying the following
70restrictions:
71
72* BP zones may only be associated with bridge ports.
73
74* All ports associated with a given BP zone must be on the same bridge.
75
76* Policies from a non-BP zone to a BP are disallowed.
77
78* Rules where the SOURCE is a non-BP zone and the DEST is a BP zone are disallowed.
79
80See: http://www.shorewall.net/bridge-Shorewall-perl.html
81
82We simply define one zone for each bridge/vm pair.
83
84Shorewall zones names are limited to 5 characters, so we need to
85translate our names into shorter ones. The mapping is store in
86/etc/shorewall/params, so we can use shell variables with long names
87to refer to those zones.
88
89Example: One bridge vmbr0 and one VM with id 100
90
91Content of /etc/shorewall/params
92 # PVE zones
93 FW=fw
94 ZVMBR0=z0
95 ZVMBR0EXT=z1
96 ZVMBR0VM100=z2
97
98Content of /etc/shorewall/zones
99 #ZONE TYPE OPTIONS
100 $FW firewall
101 $ZVMBR0 ipv4
102 $ZVMBR0EXT:$ZVMBR0 bport
103 $ZVMBR0VM100:$ZVMBR0 bport
104 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
105
106Content of /etc/shorewall/interfaces
107 #ZONE INTERFACE BROADCAST OPTIONS
108 $ZVMBR0 vmbr0 detect bridge,optional
109 $ZVMBR0EXT vmbr0:eth0 -
110 $ZVMBR0VM100 vmbr0:tap100i0 - maclist
111 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
112
113Zone $ZVMBR0VM100 contains all network interfaces from VM100.
114
115Zone $ZVMBR0EXT contains all physical network interfaces. We consider this zone to be the external world.
116
b486ed3b
DM
117A shorewall rule for inbound traffic looks like this:
118
8fb53d8c 119 SSH(ACCEPT) all $ZVMBR0VM100:tap100i0
b486ed3b
DM
120
121Outbound rules looks like:
122
123 SSH(ACCEPT) $ZVMBR0VM100:tap100i0 all
124
125
b9b06789 126Problems
8fb53d8c
DM
127===================
128
129Inbound rules with source IP does not work, because shorewall
130does not allow rules like:
131
132 SSH(ACCEPT) all:IP_ADDRESS $ZVMBR0VM100:tap100i0
133
b9b06789
DM
134As workaroud, we create one rule for each BP zone on the same
135bridge:
8fb53d8c 136
b9b06789
DM
137 SSH(ACCEPT) $ZVMBR0:IP_ADDRESS $ZVMBR0VM100:tap100i0
138 SSH(ACCEPT) $ZVMBR0VM777:IP_ADDRESS $ZVMBR0VM100:tap100i0
139 SSH(ACCEPT) $ZVMBR0EXT:IP_ADDRESS $ZVMBR0VM100:tap100i0
8fb53d8c 140
b486ed3b
DM
141
142
143
144
145
f4bf58dd
DM
146
147