]>
Commit | Line | Data |
---|---|---|
f4bf58dd DM |
1 | Experimental software, only used for testing! |
2 | ============================================= | |
ec6b1100 | 3 | |
5e1267a5 | 4 | |
f4bf58dd DM |
5 | Quick Intro |
6 | =========== | |
5e1267a5 | 7 | |
36166ca9 | 8 | VM firewall rules are read from: |
ec6b1100 | 9 | |
36166ca9 | 10 | /etc/pve/firewall/<VMID>.fw |
e51bd2aa | 11 | |
36166ca9 DM |
12 | Cluster wide rules and security group are read from: |
13 | ||
14 | /etc/pve/firewall/cluster.fw | |
15 | ||
16 | Host firewall rules are read from: | |
17 | ||
18 | /etc/pve/local/host.fw | |
e51bd2aa | 19 | |
ec6b1100 DM |
20 | You can find examples in the example/ dir |
21 | ||
5e1267a5 | 22 | |
e51bd2aa DM |
23 | Use the following command to mange the firewall: |
24 | ||
25 | To test the firewall configuration: | |
ec6b1100 DM |
26 | |
27 | ./pvefw compile | |
28 | ||
e51bd2aa | 29 | To start or update the firewall: |
5e1267a5 DM |
30 | |
31 | ./pvefw start | |
32 | ||
e51bd2aa DM |
33 | To update the firewall rules (the firewall is not started if it |
34 | is not already running): | |
5e1267a5 | 35 | |
e51bd2aa | 36 | ./pvefw update |
5e1267a5 DM |
37 | |
38 | To stop the firewall: | |
39 | ||
40 | ./pvefw stop | |
41 | ||
f4bf58dd DM |
42 | |
43 | Implementation details | |
44 | ====================== | |
45 | ||
e51bd2aa DM |
46 | We write iptables rules directly, an generate the following chains |
47 | as entry points in the 'forward' table: | |
48 | ||
49 | PVEFW-INPUT | |
50 | PVEFW-OUTPUT | |
51 | PVEFW-FORWARD | |
52 | ||
53 | We do not touch other (user defined) chains. | |
f4bf58dd DM |
54 | |
55 | Each VM can have its own firewall definition file in | |
56 | ||
57 | /etc/pve/firewall/<VMID>.fw | |
58 | ||
e51bd2aa | 59 | That file has a section [RULES] to define firewall rules. |
f4bf58dd | 60 | |
e51bd2aa | 61 | Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT |
f4bf58dd | 62 | |
e51bd2aa DM |
63 | * TYPE: IN|OUT|GROUP |
64 | * ACTION: action or macro | |
f4bf58dd DM |
65 | * IFACE: vm network interface (net0 - net5), or '-' for all interfaces |
66 | * SOURCE: source IP address, or '-' for any source | |
67 | * DEST: dest IP address, or '-' for any destination address | |
68 | * PROTO: see /etc/protocols | |
69 | * D-PORT: destination port | |
70 | * S-PORT: source port | |
71 | ||
e51bd2aa | 72 | A rule for inbound traffic looks like this: |
b486ed3b | 73 | |
e51bd2aa | 74 | IN SSH(ACCEPT) net0 |
b486ed3b DM |
75 | |
76 | Outbound rules looks like: | |
77 | ||
e51bd2aa | 78 | OUT SSH(ACCEPT) |
b486ed3b | 79 | |
b9b06789 | 80 | Problems |
8fb53d8c DM |
81 | =================== |
82 | ||
e51bd2aa DM |
83 | There are a number of restrictions when using iptables to filter |
84 | bridged traffic. The physdev match feature does not work correctly | |
85 | when traffic is routed from host to bridge: | |
8fb53d8c | 86 | |
e51bd2aa DM |
87 | * when a packet being sent through a bridge entered the firewall on another interface |
88 | and was being forwarded to the bridge. | |
8fb53d8c | 89 | |
e51bd2aa | 90 | * when a packet originating on the firewall itself is being sent through a bridge. |
8fb53d8c | 91 | |
e51bd2aa DM |
92 | So we disable the firewall if we detect such case (bridge with assigned IP address). |
93 | You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw". | |
b486ed3b | 94 | |
e51bd2aa DM |
95 | The correct workaround is to remove the IP address from the bridge device, and |
96 | use a veth device which is plugged into the bridge: | |
b486ed3b | 97 | |
e51bd2aa | 98 | ---/etc/network/interfaces---- |
b486ed3b | 99 | |
e51bd2aa | 100 | ... |
b486ed3b | 101 | |
e51bd2aa DM |
102 | auto vmbr0 |
103 | iface vmbr0 inet manual | |
c27d58f3 | 104 | bridge_ports bond0 |
e51bd2aa DM |
105 | bridge_stp off |
106 | bridge_fd 0 | |
c27d58f3 DM |
107 | |
108 | # this create the veth device and plug it into vmbr0 | |
109 | auto pm0 | |
110 | iface pm0 inet static | |
111 | address 192.168.10.10 | |
112 | netmask 255.255.255.0 | |
113 | gateway 192.168.10.1 | |
114 | VETH_BRIDGETO vmbr0 | |
f4bf58dd | 115 | |
cdf17f84 DM |
116 | auto vmbr1 |
117 | iface vmbr1 inet manual | |
118 | bridge_ports none | |
119 | bridge_stp off | |
120 | bridge_fd 0 | |
121 | ||
79f08c62 DM |
122 | # setup masqueraded bridge port vmbr1/pm1 using pm0 |
123 | # NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone) | |
cdf17f84 DM |
124 | auto pm1 |
125 | iface pm1 inet static | |
126 | address 10.10.10.1 | |
127 | netmask 255.255.255.0 | |
128 | VETH_BRIDGETO vmbr1 | |
79f08c62 | 129 | VETH_MASQUERADE pm0 |
cdf17f84 | 130 | |
e51bd2aa | 131 | ... |
f4bf58dd | 132 | |
e51bd2aa | 133 | -------------------------------- |
c27d58f3 | 134 |