improve docu

[pve-firewall.git] / README

diff --git a/README b/README
index 41c7c199456b519b29f5da22483986a5747d9315..851a3c5a575238013c60777242f8a43e381d2816 100644 (file)
--- a/README
+++ b/README
@@ -1,4 +1,5 @@
-Experimental software, only used for testing.
+Experimental software, only used for testing!
+=============================================

 
 Note: you need to change values in /etc/sysctl.d/pve.conf to:
 
 
 Note: you need to change values in /etc/sysctl.d/pve.conf to:
 


@@ -9,6 +10,8 @@ net.bridge.bridge-nf-filter-vlan-tagged = 1
 
 and reboot after that change.
 
 
 and reboot after that change.
 

+Quick Intro
+===========

 
 VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
 
 
 VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
 


@@ -35,4 +38,30 @@ To stop the firewall:
 
 To clear all iptable rules:
 
 
 To clear all iptable rules:
 

-./pvefw clear
\ No newline at end of file
+./pvefw clear
+
+
+Implementation details
+======================
+
+We do not write iptables rules directly. Instead we use shorewall to
+do that low level stuff. 
+
+Each VM can have its own firewall definition file in 
+
+/etc/pve/firewall/<VMID>.fw
+
+That file has two sections for inbound [IN] and outbound [OUT] traffic.
+
+Format is: ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
+
+* ACTION: shorewall action
+* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
+* SOURCE: source IP address, or '-' for any source
+* DEST: dest IP address, or '-' for any destination address
+* PROTO: see /etc/protocols
+* D-PORT: destination port
+* S-PORT: source port
+
+
+