[pve-firewall.git] / README

Experimental software, only used for testing.

Note: you need to change values in /etc/sysctl.d/pve.conf to:

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-filter-vlan-tagged = 1

and reboot after that change.


VM firewall rules are read from /etc/pve/firewall/<VMID>.fw

You can find examples in the example/ dir

Note: All commands overwrites /etc/shorewall/, so don't use if you have
and existing shorewall config you want to keep.

Use the following command to generate shorewall configuration:

./pvefw compile

To compile and start the firewall:

./pvefw start

To compile and restart the firewall:

./pvefw restart

To stop the firewall:

./pvefw stop

To clear all iptable rules:

./pvefw clear
Commit	Line	Data
ec6b1100 DM	1	Experimental software, only used for testing.
ec6b1100 DM	2
5e1267a5 DM	3	Note: you need to change values in /etc/sysctl.d/pve.conf to:
	4
	5	net.bridge.bridge-nf-call-ip6tables = 1
	6	net.bridge.bridge-nf-call-iptables = 1
	7	net.bridge.bridge-nf-call-arptables = 1
	8	net.bridge.bridge-nf-filter-vlan-tagged = 1
	9
	10	and reboot after that change.
	11
	12
ec6b1100 DM	13	VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
	14
	15	You can find examples in the example/ dir
	16
5e1267a5 DM	17	Note: All commands overwrites /etc/shorewall/, so don't use if you have
	18	and existing shorewall config you want to keep.
	19
ec6b1100 DM	20	Use the following command to generate shorewall configuration:
	21
	22	./pvefw compile
	23
5e1267a5 DM	24	To compile and start the firewall:
	25
	26	./pvefw start
	27
	28	To compile and restart the firewall:
	29
	30	./pvefw restart
	31
	32	To stop the firewall:
	33
	34	./pvefw stop
	35
	36	To clear all iptable rules:
ec6b1100	37
5e1267a5	38	./pvefw clear