improve docu
[pve-firewall.git] / README
CommitLineData
f4bf58dd
DM
1Experimental software, only used for testing!
2=============================================
ec6b1100 3
5e1267a5
DM
4Note: you need to change values in /etc/sysctl.d/pve.conf to:
5
6net.bridge.bridge-nf-call-ip6tables = 1
7net.bridge.bridge-nf-call-iptables = 1
8net.bridge.bridge-nf-call-arptables = 1
9net.bridge.bridge-nf-filter-vlan-tagged = 1
10
11and reboot after that change.
12
f4bf58dd
DM
13Quick Intro
14===========
5e1267a5 15
ec6b1100
DM
16VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
17
18You can find examples in the example/ dir
19
5e1267a5
DM
20Note: All commands overwrites /etc/shorewall/, so don't use if you have
21and existing shorewall config you want to keep.
22
ec6b1100
DM
23Use the following command to generate shorewall configuration:
24
25./pvefw compile
26
5e1267a5
DM
27To compile and start the firewall:
28
29./pvefw start
30
31To compile and restart the firewall:
32
33./pvefw restart
34
35To stop the firewall:
36
37./pvefw stop
38
39To clear all iptable rules:
ec6b1100 40
f4bf58dd
DM
41./pvefw clear
42
43
44Implementation details
45======================
46
47We do not write iptables rules directly. Instead we use shorewall to
48do that low level stuff.
49
50Each VM can have its own firewall definition file in
51
52/etc/pve/firewall/<VMID>.fw
53
54That file has two sections for inbound [IN] and outbound [OUT] traffic.
55
56Format is: ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
57
58* ACTION: shorewall action
59* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
60* SOURCE: source IP address, or '-' for any source
61* DEST: dest IP address, or '-' for any destination address
62* PROTO: see /etc/protocols
63* D-PORT: destination port
64* S-PORT: source port
65
66
67