+++ /dev/null
-Experimental software, only used for testing!
-=============================================
-
-
-Quick Intro
-===========
-
-VM firewall rules are read from:
-
- /etc/pve/firewall/<VMID>.fw
-
-Cluster wide rules and security group are read from:
-
- /etc/pve/firewall/cluster.fw
-
-Host firewall rules are read from:
-
- /etc/pve/local/host.fw
-
-You can find examples in the example/ dir
-
-
-Use the following command to mange the firewall:
-
-To test the firewall configuration:
-
-./pvefw compile
-
-To start or update the firewall:
-
-./pvefw start
-
-To update the firewall rules (the firewall is not started if it
-is not already running):
-
-./pvefw update
-
-To stop the firewall:
-
-./pvefw stop
-
-
-Implementation details
-======================
-
-We write iptables rules directly, an generate the following chains
-as entry points in the 'forward' table:
-
-PVEFW-INPUT
-PVEFW-OUTPUT
-PVEFW-FORWARD
-
-We do not touch other (user defined) chains.
-
-Each VM can have its own firewall definition file in
-
-/etc/pve/firewall/<VMID>.fw
-
-That file has a section [RULES] to define firewall rules.
-
-Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
-
-* TYPE: IN|OUT|GROUP
-* ACTION: action or macro
-* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
-* SOURCE: source IP address, or '-' for any source
-* DEST: dest IP address, or '-' for any destination address
-* PROTO: see /etc/protocols
-* D-PORT: destination port
-* S-PORT: source port
-
-A rule for inbound traffic looks like this:
-
-IN SSH(ACCEPT) net0
-
-Outbound rules looks like:
-
-OUT SSH(ACCEPT)
-
-Problems
-===================
-
-There are a number of restrictions when using iptables to filter
-bridged traffic. The physdev match feature does not work correctly
-when traffic is routed from host to bridge:
-
- * when a packet being sent through a bridge entered the firewall on another interface
- and was being forwarded to the bridge.
-
- * when a packet originating on the firewall itself is being sent through a bridge.
-
-So we disable the firewall if we detect such case (bridge with assigned IP address).
-You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
-
-The correct workaround is to remove the IP address from the bridge device, and
-use a veth device which is plugged into the bridge:
-
----/etc/network/interfaces----
-
-...
-
-auto vmbr0
-iface vmbr0 inet manual
- bridge_ports bond0
- bridge_stp off
- bridge_fd 0
-
-# this create the veth device and plug it into vmbr0
-auto pm0
-iface pm0 inet static
- address 192.168.10.10
- netmask 255.255.255.0
- gateway 192.168.10.1
- VETH_BRIDGETO vmbr0
-
-auto vmbr1
-iface vmbr1 inet manual
- bridge_ports none
- bridge_stp off
- bridge_fd 0
-
-# setup masqueraded bridge port vmbr1/pm1 using pm0
-# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
-auto pm1
-iface pm1 inet static
- address 10.10.10.1
- netmask 255.255.255.0
- VETH_BRIDGETO vmbr1
- VETH_MASQUERADE pm0
-
-...
-
---------------------------------
-
--- /dev/null
+Experimental software, only used for testing!
+=============================================
+
+
+Quick Intro
+===========
+
+VM firewall rules are read from:
+
+ /etc/pve/firewall/<VMID>.fw
+
+Cluster wide rules and security group are read from:
+
+ /etc/pve/firewall/cluster.fw
+
+Host firewall rules are read from:
+
+ /etc/pve/local/host.fw
+
+You can find examples in the example/ dir
+
+
+Use the following command to mange the firewall:
+
+To test the firewall configuration:
+
+./pvefw compile
+
+To start or update the firewall:
+
+./pvefw start
+
+To update the firewall rules (the firewall is not started if it
+is not already running):
+
+./pvefw update
+
+To stop the firewall:
+
+./pvefw stop
+
+
+Implementation details
+======================
+
+We write iptables rules directly, an generate the following chains
+as entry points in the 'forward' table:
+
+PVEFW-INPUT
+PVEFW-OUTPUT
+PVEFW-FORWARD
+
+We do not touch other (user defined) chains.
+
+Each VM can have its own firewall definition file in
+
+/etc/pve/firewall/<VMID>.fw
+
+That file has a section [RULES] to define firewall rules.
+
+Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
+
+* TYPE: IN|OUT|GROUP
+* ACTION: action or macro
+* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
+* SOURCE: source IP address, or '-' for any source
+* DEST: dest IP address, or '-' for any destination address
+* PROTO: see /etc/protocols
+* D-PORT: destination port
+* S-PORT: source port
+
+A rule for inbound traffic looks like this:
+
+IN SSH(ACCEPT) net0
+
+Outbound rules looks like:
+
+OUT SSH(ACCEPT)
+
+Problems
+===================
+
+There are a number of restrictions when using iptables to filter
+bridged traffic. The physdev match feature does not work correctly
+when traffic is routed from host to bridge:
+
+ * when a packet being sent through a bridge entered the firewall on another interface
+ and was being forwarded to the bridge.
+
+ * when a packet originating on the firewall itself is being sent through a bridge.
+
+So we disable the firewall if we detect such case (bridge with assigned IP address).
+You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
+
+The correct workaround is to remove the IP address from the bridge device, and
+use a veth device which is plugged into the bridge:
+
+---/etc/network/interfaces----
+
+...
+
+auto vmbr0
+iface vmbr0 inet manual
+ bridge_ports bond0
+ bridge_stp off
+ bridge_fd 0
+
+# this create the veth device and plug it into vmbr0
+auto pm0
+iface pm0 inet static
+ address 192.168.10.10
+ netmask 255.255.255.0
+ gateway 192.168.10.1
+ VETH_BRIDGETO vmbr0
+
+auto vmbr1
+iface vmbr1 inet manual
+ bridge_ports none
+ bridge_stp off
+ bridge_fd 0
+
+# setup masqueraded bridge port vmbr1/pm1 using pm0
+# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
+auto pm1
+iface pm1 inet static
+ address 10.10.10.1
+ netmask 255.255.255.0
+ VETH_BRIDGETO vmbr1
+ VETH_MASQUERADE pm0
+
+...
+
+--------------------------------
+
debian/SOURCE
+debian/example/
+debian/README
--- /dev/null
+# Example VM firewall configuration
+
+# VM specific firewall options
+[OPTIONS]
+
+# disable/enable the whole thing
+enable: 1
+
+# disable/enable MAC address filter
+macfilter: 0
+
+# default policy
+policy_in: DROP
+policy_out: REJECT
+
+# log dropped incoming connection
+log_level_in: info
+
+# disable log for outgoing connections
+log_level_out: nolog
+
+# enable DHCP
+dhcp: 1
+
+# enable ips
+ips: 1
+
+# specify nfqueue queues (optionnal)
+#ips_queues: 0
+ips_queues: 0:3
+
+
+[RULES]
+
+#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
+
+IN SSH(ACCEPT) net0
+IN SSH(ACCEPT) net0 # a comment
+IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
+IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
+IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
+IN SSH(ACCEPT) net0 +mynetgroup #accept ssh for netgroup mynetgroup
+
+|IN SSH(ACCEPT) net0 # disabled rule
+
+# add a security group
+GROUP group1 net0
+
+OUT DNS(ACCEPT) net0
+OUT Ping(ACCEPT) net0
+OUT SSH(ACCEPT)
+
+
+
--- /dev/null
+[OPTIONS]
+
+# enable firewall (cluster wide setting, default is disabled)
+enable: 1
+
+# default policy for host rules
+policy_in: DROP
+policy_out: ACCEPT
+
+[RULES]
+
+IN SSH(ACCEPT) vmbr0
+
+[group group1]
+
+IN ACCEPT - - tcp 22 -
+OUT ACCEPT - - tcp 80 -
+OUT ACCEPT - - icmp - -
+
+[group group3]
+
+IN ACCEPT 10.0.0.1
+IN ACCEPT 10.0.0.1-10.0.0.10
+IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
+IN ACCEPT +mynetgroup
+
+
+[ipset myipset]
+
+192.168.0.1 #mycomment
+172.16.0.10
+192.168.0.0/24
+! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
+
--- /dev/null
+# /etc/pve/local/host.fw
+
+[OPTIONS]
+
+enable: 0
+tcp_flags_log_level: info
+smurf_log_level: nolog
+log_level_in: info
+log_level_out: info
+
+# allow more connections (default is 65536)
+nf_conntrack_max: 196608
+
+# reduce conntrack established timeout (default is 432000 - 5days)
+nf_conntrack_tcp_timeout_established: 7875
+
+# Enable firewall when bridges contains IP address.
+# The firewall is not fully functional in that case, so
+# you need to enable that explicitly
+allow_bridge_route: 1
+
+# disable SMURFS filter
+nosmurfs: 0
+
+# filter illegal combinations of TCP flags
+tcpflags: 1
+
+# rules processing speed optimizations
+optimize : 1
+
+[RULES]
+
+IN SSH(ACCEPT) net0
+OUT SSH(ACCEPT) net0
+++ /dev/null
-# Example VM firewall configuration
-
-# VM specific firewall options
-[OPTIONS]
-
-# disable/enable the whole thing
-enable: 1
-
-# disable/enable MAC address filter
-macfilter: 0
-
-# default policy
-policy_in: DROP
-policy_out: REJECT
-
-# log dropped incoming connection
-log_level_in: info
-
-# disable log for outgoing connections
-log_level_out: nolog
-
-# enable DHCP
-dhcp: 1
-
-# enable ips
-ips: 1
-
-# specify nfqueue queues (optionnal)
-#ips_queues: 0
-ips_queues: 0:3
-
-
-[RULES]
-
-#TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT
-
-IN SSH(ACCEPT) net0
-IN SSH(ACCEPT) net0 # a comment
-IN SSH(ACCEPT) net0 192.168.2.192 # only allow SSH from 192.168.2.192
-IN SSH(ACCEPT) net0 10.0.0.1-10.0.0.10 #accept SSH for ip in range 10.0.0.1 to 10.0.0.10
-IN SSH(ACCEPT) net0 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
-IN SSH(ACCEPT) net0 +mynetgroup #accept ssh for netgroup mynetgroup
-
-|IN SSH(ACCEPT) net0 # disabled rule
-
-# add a security group
-GROUP group1 net0
-
-OUT DNS(ACCEPT) net0
-OUT Ping(ACCEPT) net0
-OUT SSH(ACCEPT)
-
-
-
+++ /dev/null
-[OPTIONS]
-
-# enable firewall (cluster wide setting, default is disabled)
-enable: 1
-
-# default policy for host rules
-policy_in: DROP
-policy_out: ACCEPT
-
-[RULES]
-
-IN SSH(ACCEPT) vmbr0
-
-[group group1]
-
-IN ACCEPT - - tcp 22 -
-OUT ACCEPT - - tcp 80 -
-OUT ACCEPT - - icmp - -
-
-[group group3]
-
-IN ACCEPT 10.0.0.1
-IN ACCEPT 10.0.0.1-10.0.0.10
-IN ACCEPT 10.0.0.1,10.0.0.2,10.0.0.3
-IN ACCEPT +mynetgroup
-
-
-[ipset myipset]
-
-192.168.0.1 #mycomment
-172.16.0.10
-192.168.0.0/24
-! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
-
+++ /dev/null
-# /etc/pve/local/host.fw
-
-[OPTIONS]
-
-enable: 0
-tcp_flags_log_level: info
-smurf_log_level: nolog
-log_level_in: info
-log_level_out: info
-
-# allow more connections (default is 65536)
-nf_conntrack_max: 196608
-
-# reduce conntrack established timeout (default is 432000 - 5days)
-nf_conntrack_tcp_timeout_established: 7875
-
-# Enable firewall when bridges contains IP address.
-# The firewall is not fully functional in that case, so
-# you need to enable that explicitly
-allow_bridge_route: 1
-
-# disable SMURFS filter
-nosmurfs: 0
-
-# filter illegal combinations of TCP flags
-tcpflags: 1
-
-# rules processing speed optimizations
-optimize : 1
-
-[RULES]
-
-IN SSH(ACCEPT) net0
-OUT SSH(ACCEPT) net0