From: Dietmar Maurer Date: Fri, 10 Aug 2012 10:28:25 +0000 (+0200) Subject: improve docu X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=f4bf58dd92d2f67c53f9bdbc02ee93ab351323ea;ds=sidebyside improve docu --- diff --git a/README b/README index 41c7c19..851a3c5 100644 --- a/README +++ b/README @@ -1,4 +1,5 @@ -Experimental software, only used for testing. +Experimental software, only used for testing! +============================================= Note: you need to change values in /etc/sysctl.d/pve.conf to: @@ -9,6 +10,8 @@ net.bridge.bridge-nf-filter-vlan-tagged = 1 and reboot after that change. +Quick Intro +=========== VM firewall rules are read from /etc/pve/firewall/.fw @@ -35,4 +38,30 @@ To stop the firewall: To clear all iptable rules: -./pvefw clear \ No newline at end of file +./pvefw clear + + +Implementation details +====================== + +We do not write iptables rules directly. Instead we use shorewall to +do that low level stuff. + +Each VM can have its own firewall definition file in + +/etc/pve/firewall/.fw + +That file has two sections for inbound [IN] and outbound [OUT] traffic. + +Format is: ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT + +* ACTION: shorewall action +* IFACE: vm network interface (net0 - net5), or '-' for all interfaces +* SOURCE: source IP address, or '-' for any source +* DEST: dest IP address, or '-' for any destination address +* PROTO: see /etc/protocols +* D-PORT: destination port +* S-PORT: source port + + + diff --git a/example/100.fw b/example/100.fw index 94ab2a6..3ff340a 100644 --- a/example/100.fw +++ b/example/100.fw @@ -1,14 +1,6 @@ # Example VM firewall configuration #ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT -# ACTION: shorewall action -# IFACE: vm network interface (net0 - net5), or '-' for all interfaces -# SOURCE: source IP address, or '-' for any source -# DEST: dest IP address, or '-' for any destination address -# PROTO: see /etc/protocols -# D-PORT: destination port -# S-PORT: source port - [IN] SSH(ACCEPT) net0 192.168.2.192 -