+./pvefw clear
+
+
+Implementation details
+======================
+
+We do not write iptables rules directly. Instead we use shorewall to
+do that low level stuff.
+
+Each VM can have its own firewall definition file in
+
+/etc/pve/firewall/<VMID>.fw
+
+That file has two sections for inbound [IN] and outbound [OUT] traffic.
+
+Format is: ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
+
+* ACTION: shorewall action
+* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
+* SOURCE: source IP address, or '-' for any source
+* DEST: dest IP address, or '-' for any destination address
+* PROTO: see /etc/protocols
+* D-PORT: destination port
+* S-PORT: source port
+
+
+