projects / pve-firewall.git / blame
| Commit | Line | Data |
|---|---|---|
| f4bf58dd DM |
1 | Experimental software, only used for testing! |
| 2 | ============================================= | |
| ec6b1100 | 3 | |
| 5e1267a5 | 4 | |
| f4bf58dd DM |
5 | Quick Intro |
| 6 | =========== | |
| 5e1267a5 | 7 | |
| 36166ca9 | 8 | VM firewall rules are read from: |
| ec6b1100 | 9 | |
| 36166ca9 | 10 | /etc/pve/firewall/<VMID>.fw |
| e51bd2aa | 11 | |
| 36166ca9 DM |
12 | Cluster wide rules and security group are read from: |
| 13 | ||
| 14 | /etc/pve/firewall/cluster.fw | |
| 15 | ||
| 16 | Host firewall rules are read from: | |
| 17 | ||
| 18 | /etc/pve/local/host.fw | |
| e51bd2aa | 19 | |
| ec6b1100 DM |
20 | You can find examples in the example/ dir |
| 21 | ||
| 5e1267a5 | 22 | |
| e51bd2aa DM |
23 | Use the following command to mange the firewall: |
| 24 | ||
| 25 | To test the firewall configuration: | |
| ec6b1100 DM |
26 | |
| 27 | ./pvefw compile | |
| 28 | ||
| e51bd2aa | 29 | To start or update the firewall: |
| 5e1267a5 DM |
30 | |
| 31 | ./pvefw start | |
| 32 | ||
| e51bd2aa DM |
33 | To update the firewall rules (the firewall is not started if it |
| 34 | is not already running): | |
| 5e1267a5 | 35 | |
| e51bd2aa | 36 | ./pvefw update |
| 5e1267a5 DM |
37 | |
| 38 | To stop the firewall: | |
| 39 | ||
| 40 | ./pvefw stop | |
| 41 | ||
| f4bf58dd DM |
42 | |
| 43 | Implementation details | |
| 44 | ====================== | |
| 45 | ||
| e51bd2aa DM |
46 | We write iptables rules directly, an generate the following chains |
| 47 | as entry points in the 'forward' table: | |
| 48 | ||
| 49 | PVEFW-INPUT | |
| 50 | PVEFW-OUTPUT | |
| 51 | PVEFW-FORWARD | |
| 52 | ||
| 53 | We do not touch other (user defined) chains. | |
| f4bf58dd DM |
54 | |
| 55 | Each VM can have its own firewall definition file in | |
| 56 | ||
| 57 | /etc/pve/firewall/<VMID>.fw | |
| 58 | ||
| e51bd2aa | 59 | That file has a section [RULES] to define firewall rules. |
| f4bf58dd | 60 | |
| e51bd2aa | 61 | Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT |
| f4bf58dd | 62 | |
| e51bd2aa DM |
63 | * TYPE: IN|OUT|GROUP |
| 64 | * ACTION: action or macro | |
| f4bf58dd DM |
65 | * IFACE: vm network interface (net0 - net5), or '-' for all interfaces |
| 66 | * SOURCE: source IP address, or '-' for any source | |
| 67 | * DEST: dest IP address, or '-' for any destination address | |
| 68 | * PROTO: see /etc/protocols | |
| 69 | * D-PORT: destination port | |
| 70 | * S-PORT: source port | |
| 71 | ||
| e51bd2aa | 72 | A rule for inbound traffic looks like this: |
| b486ed3b | 73 | |
| e51bd2aa | 74 | IN SSH(ACCEPT) net0 |
| b486ed3b DM |
75 | |
| 76 | Outbound rules looks like: | |
| 77 | ||
| e51bd2aa | 78 | OUT SSH(ACCEPT) |
| b486ed3b | 79 | |
| b9b06789 | 80 | Problems |
| 8fb53d8c DM |
81 | =================== |
| 82 | ||
| e51bd2aa DM |
83 | There are a number of restrictions when using iptables to filter |
| 84 | bridged traffic. The physdev match feature does not work correctly | |
| 85 | when traffic is routed from host to bridge: | |
| 8fb53d8c | 86 | |
| fb8f4a70 DM |
87 | * when a packet being sent through a bridge entered the firewall on |
| 88 | another interface and was being forwarded to the bridge. | |
| 8fb53d8c | 89 | |
| fb8f4a70 DM |
90 | * when a packet originating on the firewall itself is being sent through |
| 91 | a bridge. | |
| 8fb53d8c | 92 | |
| fb8f4a70 | 93 | We use a second bridge for each interface to avoid above problem. |
| c27d58f3 | 94 | |
| fb8f4a70 DM |
95 | eth0-->vmbr0<--tapXiY (non firewalled tap) |
| 96 | <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap) |