]>
Commit | Line | Data |
---|---|---|
f4bf58dd DM |
1 | Experimental software, only used for testing! |
2 | ============================================= | |
ec6b1100 | 3 | |
5e1267a5 | 4 | |
f4bf58dd DM |
5 | Quick Intro |
6 | =========== | |
5e1267a5 | 7 | |
ec6b1100 DM |
8 | VM firewall rules are read from /etc/pve/firewall/<VMID>.fw |
9 | ||
e51bd2aa DM |
10 | Security group rules are read from /etc/pve/firewall/groups.fw |
11 | ||
12 | Host firewall rules are read from /etc/pve/local/host.fw | |
13 | ||
ec6b1100 DM |
14 | You can find examples in the example/ dir |
15 | ||
5e1267a5 | 16 | |
e51bd2aa DM |
17 | Use the following command to mange the firewall: |
18 | ||
19 | To test the firewall configuration: | |
ec6b1100 DM |
20 | |
21 | ./pvefw compile | |
22 | ||
e51bd2aa | 23 | To start or update the firewall: |
5e1267a5 DM |
24 | |
25 | ./pvefw start | |
26 | ||
e51bd2aa DM |
27 | To update the firewall rules (the firewall is not started if it |
28 | is not already running): | |
5e1267a5 | 29 | |
e51bd2aa | 30 | ./pvefw update |
5e1267a5 DM |
31 | |
32 | To stop the firewall: | |
33 | ||
34 | ./pvefw stop | |
35 | ||
f4bf58dd DM |
36 | |
37 | Implementation details | |
38 | ====================== | |
39 | ||
e51bd2aa DM |
40 | We write iptables rules directly, an generate the following chains |
41 | as entry points in the 'forward' table: | |
42 | ||
43 | PVEFW-INPUT | |
44 | PVEFW-OUTPUT | |
45 | PVEFW-FORWARD | |
46 | ||
47 | We do not touch other (user defined) chains. | |
f4bf58dd DM |
48 | |
49 | Each VM can have its own firewall definition file in | |
50 | ||
51 | /etc/pve/firewall/<VMID>.fw | |
52 | ||
e51bd2aa | 53 | That file has a section [RULES] to define firewall rules. |
f4bf58dd | 54 | |
e51bd2aa | 55 | Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT |
f4bf58dd | 56 | |
e51bd2aa DM |
57 | * TYPE: IN|OUT|GROUP |
58 | * ACTION: action or macro | |
f4bf58dd DM |
59 | * IFACE: vm network interface (net0 - net5), or '-' for all interfaces |
60 | * SOURCE: source IP address, or '-' for any source | |
61 | * DEST: dest IP address, or '-' for any destination address | |
62 | * PROTO: see /etc/protocols | |
63 | * D-PORT: destination port | |
64 | * S-PORT: source port | |
65 | ||
e51bd2aa | 66 | A rule for inbound traffic looks like this: |
b486ed3b | 67 | |
e51bd2aa | 68 | IN SSH(ACCEPT) net0 |
b486ed3b DM |
69 | |
70 | Outbound rules looks like: | |
71 | ||
e51bd2aa | 72 | OUT SSH(ACCEPT) |
b486ed3b | 73 | |
b9b06789 | 74 | Problems |
8fb53d8c DM |
75 | =================== |
76 | ||
e51bd2aa DM |
77 | There are a number of restrictions when using iptables to filter |
78 | bridged traffic. The physdev match feature does not work correctly | |
79 | when traffic is routed from host to bridge: | |
8fb53d8c | 80 | |
e51bd2aa DM |
81 | * when a packet being sent through a bridge entered the firewall on another interface |
82 | and was being forwarded to the bridge. | |
8fb53d8c | 83 | |
e51bd2aa | 84 | * when a packet originating on the firewall itself is being sent through a bridge. |
8fb53d8c | 85 | |
e51bd2aa DM |
86 | So we disable the firewall if we detect such case (bridge with assigned IP address). |
87 | You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw". | |
b486ed3b | 88 | |
e51bd2aa DM |
89 | The correct workaround is to remove the IP address from the bridge device, and |
90 | use a veth device which is plugged into the bridge: | |
b486ed3b | 91 | |
e51bd2aa | 92 | ---/etc/network/interfaces---- |
b486ed3b | 93 | |
e51bd2aa | 94 | ... |
b486ed3b | 95 | |
e51bd2aa DM |
96 | auto pvemgmt0 |
97 | iface pvemgmt0 inet static | |
98 | address 192.168.10.10 | |
99 | netmask 255.255.255.0 | |
100 | gateway 192.168.10.1 | |
101 | pre-up ip link add name pvemgmt0 type veth peer name pvemgmt0peer | |
102 | pre-up ip link set pvemgmt0peer up | |
103 | pre-down ip link set pvemgmt0peer down | |
104 | post-down ip link del pvemgmt0 | |
b486ed3b | 105 | |
e51bd2aa DM |
106 | auto vmbr0 |
107 | iface vmbr0 inet manual | |
108 | bridge_ports pvemgmt0peer eth0 | |
109 | bridge_stp off | |
110 | bridge_fd 0 | |
111 | pre-up ifup pvemgmt0 | |
f4bf58dd | 112 | |
e51bd2aa | 113 | ... |
f4bf58dd | 114 | |
e51bd2aa | 115 | -------------------------------- |