[pve-firewall.git] / debian / README

Experimental software, only used for testing!
=============================================


Quick Intro
===========

VM firewall rules are read from:

 /etc/pve/firewall/<VMID>.fw

Cluster wide rules and security group are read from:
 
 /etc/pve/firewall/cluster.fw

Host firewall rules are read from:

  /etc/pve/local/host.fw

You can find examples in the example/ dir


Use the following command to mange the firewall:

To test the firewall configuration:

./pvefw compile

To start or update the firewall:

./pvefw start

To update the firewall rules (the firewall is not started if it
is not already running):

./pvefw update

To stop the firewall:

./pvefw stop


Implementation details
======================

We write iptables rules directly, an generate the following chains 
as entry points in the 'forward' table:

PVEFW-INPUT
PVEFW-OUTPUT
PVEFW-FORWARD

We do not touch other (user defined) chains.

Each VM can have its own firewall definition file in 

/etc/pve/firewall/<VMID>.fw

That file has a section [RULES] to define firewall rules.

Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

* TYPE: IN|OUT|GROUP 
* ACTION: action or macro
* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
* SOURCE: source IP address, or '-' for any source
* DEST: dest IP address, or '-' for any destination address
* PROTO: see /etc/protocols
* D-PORT: destination port
* S-PORT: source port

A rule for inbound traffic looks like this:

IN SSH(ACCEPT) net0

Outbound rules looks like:

OUT SSH(ACCEPT)

Problems
===================

There are a number of restrictions when using iptables to filter
bridged traffic. The physdev match feature does not work correctly
when traffic is routed from host to bridge:

  * when a packet being sent through a bridge entered the firewall on another interface 
    and was being forwarded to the bridge.

  * when a packet originating on the firewall itself is being sent through a bridge.

So we disable the firewall if we detect such case (bridge with assigned IP address).
You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".

The correct workaround is to remove the IP address from the bridge device, and
use a veth device which is plugged into the bridge:

---/etc/network/interfaces----

...

auto vmbr0
iface vmbr0 inet manual
	bridge_ports bond0
	bridge_stp off
	bridge_fd 0

# this create the veth device and plug it into vmbr0
auto pm0
iface pm0 inet static
	address  192.168.10.10
	netmask  255.255.255.0
	gateway  192.168.10.1
	VETH_BRIDGETO vmbr0

auto vmbr1
iface vmbr1 inet manual
      bridge_ports none
      bridge_stp off
      bridge_fd 0

# setup masqueraded bridge port vmbr1/pm1 using pm0
# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone) 
auto pm1
iface pm1 inet static
       address 10.10.10.1
       netmask 255.255.255.0
       VETH_BRIDGETO vmbr1
       VETH_MASQUERADE pm0

...

--------------------------------
Commit	Line	Data
f4bf58dd DM	1	Experimental software, only used for testing!
f4bf58dd DM	2	=============================================
ec6b1100	3
5e1267a5	4
f4bf58dd DM	5	Quick Intro
f4bf58dd DM	6	===========
5e1267a5	7
36166ca9	8	VM firewall rules are read from:
ec6b1100	9
36166ca9	10	/etc/pve/firewall/<VMID>.fw
e51bd2aa	11
36166ca9 DM	12	Cluster wide rules and security group are read from:
	13
	14	/etc/pve/firewall/cluster.fw
	15
	16	Host firewall rules are read from:
	17
	18	/etc/pve/local/host.fw
e51bd2aa	19
ec6b1100 DM	20	You can find examples in the example/ dir
ec6b1100 DM	21
5e1267a5	22
e51bd2aa DM	23	Use the following command to mange the firewall:
	24
	25	To test the firewall configuration:
ec6b1100 DM	26
	27	./pvefw compile
	28
e51bd2aa	29	To start or update the firewall:
5e1267a5 DM	30
	31	./pvefw start
	32
e51bd2aa DM	33	To update the firewall rules (the firewall is not started if it
e51bd2aa DM	34	is not already running):
5e1267a5	35
e51bd2aa	36	./pvefw update
5e1267a5 DM	37
	38	To stop the firewall:
	39
	40	./pvefw stop
	41
f4bf58dd DM	42
	43	Implementation details
	44	======================
	45
e51bd2aa DM	46	We write iptables rules directly, an generate the following chains
	47	as entry points in the 'forward' table:
	48
	49	PVEFW-INPUT
	50	PVEFW-OUTPUT
	51	PVEFW-FORWARD
	52
	53	We do not touch other (user defined) chains.
f4bf58dd DM	54
	55	Each VM can have its own firewall definition file in
	56
	57	/etc/pve/firewall/<VMID>.fw
	58
e51bd2aa	59	That file has a section [RULES] to define firewall rules.
f4bf58dd	60
e51bd2aa	61	Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
f4bf58dd	62
e51bd2aa DM	63	* TYPE: IN\|OUT\|GROUP
e51bd2aa DM	64	* ACTION: action or macro
f4bf58dd DM	65	* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
	66	* SOURCE: source IP address, or '-' for any source
	67	* DEST: dest IP address, or '-' for any destination address
	68	* PROTO: see /etc/protocols
	69	* D-PORT: destination port
	70	* S-PORT: source port
	71
e51bd2aa	72	A rule for inbound traffic looks like this:
b486ed3b	73
e51bd2aa	74	IN SSH(ACCEPT) net0
b486ed3b DM	75
	76	Outbound rules looks like:
	77
e51bd2aa	78	OUT SSH(ACCEPT)
b486ed3b	79
b9b06789	80	Problems
8fb53d8c DM	81	===================
8fb53d8c DM	82
e51bd2aa DM	83	There are a number of restrictions when using iptables to filter
	84	bridged traffic. The physdev match feature does not work correctly
	85	when traffic is routed from host to bridge:
8fb53d8c	86
e51bd2aa DM	87	* when a packet being sent through a bridge entered the firewall on another interface
e51bd2aa DM	88	and was being forwarded to the bridge.
8fb53d8c	89
e51bd2aa	90	* when a packet originating on the firewall itself is being sent through a bridge.
8fb53d8c	91
e51bd2aa DM	92	So we disable the firewall if we detect such case (bridge with assigned IP address).
e51bd2aa DM	93	You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
b486ed3b	94
e51bd2aa DM	95	The correct workaround is to remove the IP address from the bridge device, and
e51bd2aa DM	96	use a veth device which is plugged into the bridge:
b486ed3b	97
e51bd2aa	98	---/etc/network/interfaces----
b486ed3b	99
e51bd2aa	100	...
b486ed3b	101
e51bd2aa DM	102	auto vmbr0
e51bd2aa DM	103	iface vmbr0 inet manual
c27d58f3	104	bridge_ports bond0
e51bd2aa DM	105	bridge_stp off
e51bd2aa DM	106	bridge_fd 0
c27d58f3 DM	107
	108	# this create the veth device and plug it into vmbr0
	109	auto pm0
	110	iface pm0 inet static
	111	address 192.168.10.10
	112	netmask 255.255.255.0
	113	gateway 192.168.10.1
	114	VETH_BRIDGETO vmbr0
f4bf58dd	115
cdf17f84 DM	116	auto vmbr1
	117	iface vmbr1 inet manual
	118	bridge_ports none
	119	bridge_stp off
	120	bridge_fd 0
	121
79f08c62 DM	122	# setup masqueraded bridge port vmbr1/pm1 using pm0
79f08c62 DM	123	# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
cdf17f84 DM	124	auto pm1
	125	iface pm1 inet static
	126	address 10.10.10.1
	127	netmask 255.255.255.0
	128	VETH_BRIDGETO vmbr1
79f08c62	129	VETH_MASQUERADE pm0
cdf17f84	130
e51bd2aa	131	...
f4bf58dd	132
e51bd2aa	133	--------------------------------
c27d58f3	134