-Experimental software, only used for testing.
+Experimental software, only used for testing!
+=============================================
+
+Note: you need to change values in /etc/sysctl.d/pve.conf to:
+
+net.bridge.bridge-nf-call-ip6tables = 1
+net.bridge.bridge-nf-call-iptables = 1
+net.bridge.bridge-nf-call-arptables = 1
+net.bridge.bridge-nf-filter-vlan-tagged = 1
+
+and reboot after that change.
+
+Quick Intro
+===========
VM firewall rules are read from /etc/pve/firewall/<VMID>.fw
You can find examples in the example/ dir
+Note: All commands overwrites /etc/shorewall/, so don't use if you have
+and existing shorewall config you want to keep.
+
Use the following command to generate shorewall configuration:
./pvefw compile
-That command overwrites /etc/shorewall/, so don't use if you have
-and existing shorewall config you want to keep.
+To compile and start the firewall:
+
+./pvefw start
+
+To compile and restart the firewall:
+
+./pvefw restart
+
+To stop the firewall:
+
+./pvefw stop
+
+To clear all iptable rules:
+
+./pvefw clear
+
+
+Implementation details
+======================
+
+We do not write iptables rules directly. Instead we use shorewall to
+do that low level stuff.
+
+Each VM can have its own firewall definition file in
+
+/etc/pve/firewall/<VMID>.fw
+
+That file has two sections for inbound [IN] and outbound [OUT] traffic.
+
+Format is: ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
+
+* ACTION: shorewall action
+* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
+* SOURCE: source IP address, or '-' for any source
+* DEST: dest IP address, or '-' for any destination address
+* PROTO: see /etc/protocols
+* D-PORT: destination port
+* S-PORT: source port
+
+