improve docu
[pve-firewall.git] / README
1 Experimental software, only used for testing!
2 =============================================
3
4 Note: you need to change values in /etc/sysctl.d/pve.conf to:
5
6 net.bridge.bridge-nf-call-ip6tables = 1
7 net.bridge.bridge-nf-call-iptables = 1
8 net.bridge.bridge-nf-call-arptables = 1
9 net.bridge.bridge-nf-filter-vlan-tagged = 1
10
11 and reboot after that change.
12
13 Quick Intro
14 ===========
15
16 VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
17
18 You can find examples in the example/ dir
19
20 Note: All commands overwrites /etc/shorewall/, so don't use if you have
21 and existing shorewall config you want to keep.
22
23 Use the following command to generate shorewall configuration:
24
25 ./pvefw compile
26
27 To compile and start the firewall:
28
29 ./pvefw start
30
31 To compile and restart the firewall:
32
33 ./pvefw restart
34
35 To stop the firewall:
36
37 ./pvefw stop
38
39 To clear all iptable rules:
40
41 ./pvefw clear
42
43
44 Implementation details
45 ======================
46
47 We do not write iptables rules directly. Instead we use shorewall to
48 do that low level stuff.
49
50 Each VM can have its own firewall definition file in
51
52 /etc/pve/firewall/<VMID>.fw
53
54 That file has two sections for inbound [IN] and outbound [OUT] traffic.
55
56 Format is: ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
57
58 * ACTION: shorewall action
59 * IFACE: vm network interface (net0 - net5), or '-' for all interfaces
60 * SOURCE: source IP address, or '-' for any source
61 * DEST: dest IP address, or '-' for any destination address
62 * PROTO: see /etc/protocols
63 * D-PORT: destination port
64 * S-PORT: source port
65
66
67