]> git.proxmox.com Git - pve-firewall.git/log
pve-firewall.git
10 years agoadd MAC filter
Dietmar Maurer [Tue, 18 Feb 2014 10:59:01 +0000 (11:59 +0100)]
add MAC filter

10 years agocleanup chain names
Dietmar Maurer [Tue, 18 Feb 2014 09:59:21 +0000 (10:59 +0100)]
cleanup chain names

Try to use PVEFW prefix. I do not add that prefix to chains containing device names,
because chain name lenght is limiteZd.

10 years agotest if BRIDGEFW-OUT and BRIDGEFW-IN exist
Alexandre Derumier [Mon, 17 Feb 2014 12:50:26 +0000 (13:50 +0100)]
test if BRIDGEFW-OUT and BRIDGEFW-IN exist

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
10 years agosimplify firewall and use MD5 hash to detect changes
Dietmar Maurer [Mon, 17 Feb 2014 12:05:39 +0000 (13:05 +0100)]
simplify firewall and use MD5 hash to detect changes

10 years agoconsider host-IN/OUT chains in iptables_get_chains
Dietmar Maurer [Mon, 17 Feb 2014 06:17:33 +0000 (07:17 +0100)]
consider host-IN/OUT chains in iptables_get_chains

10 years agoconsider security group chains in iptables_get_chains
Dietmar Maurer [Mon, 17 Feb 2014 06:13:27 +0000 (07:13 +0100)]
consider security group chains in iptables_get_chains

10 years agoimplement stop command using new iptables_get_chains
Dietmar Maurer [Fri, 14 Feb 2014 14:02:41 +0000 (15:02 +0100)]
implement stop command using new iptables_get_chains

10 years agoexperimental code to read existing chains and compute SHA1 checksum
Dietmar Maurer [Fri, 14 Feb 2014 13:22:50 +0000 (14:22 +0100)]
experimental code to read existing chains and compute SHA1 checksum

10 years agofix iptables-restore - correctly add newline after COMMIT
Dietmar Maurer [Fri, 14 Feb 2014 11:41:20 +0000 (12:41 +0100)]
fix iptables-restore - correctly add newline after COMMIT

Also print $cmdlist on error. Just for debugging.

10 years agoremove shorewall rule compiler
Dietmar Maurer [Fri, 14 Feb 2014 10:27:33 +0000 (11:27 +0100)]
remove shorewall rule compiler

10 years agouse input parameter to feed iptables-restore
Dietmar Maurer [Thu, 13 Feb 2014 11:37:50 +0000 (12:37 +0100)]
use input parameter to feed iptables-restore

10 years agoimplement locking
Dietmar Maurer [Thu, 13 Feb 2014 11:33:22 +0000 (12:33 +0100)]
implement locking

10 years agoremove shorewall specific commands
Dietmar Maurer [Thu, 13 Feb 2014 09:55:48 +0000 (10:55 +0100)]
remove shorewall specific commands

10 years agoadd support for security groups
Alexandre Derumier [Fri, 7 Feb 2014 15:22:32 +0000 (16:22 +0100)]
add support for security groups

pvefw disablegroup -securitygroup <string> [OPTIONS]
pvefw enablegroup -securitygroup <string> [OPTIONS]

(pool permissions is not yet implemented)

/etc/pve/firewall/groups.fw

[IN:group1]

ACCEPT - - - tcp 22 -
ACCEPT - - - icmp - -

[OUT:group1]

ACCEPT - - - tcp 80 -
ACCEPT - - - icmp - -

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
10 years agorename ./pvefw enabletaprules -> ./pvefw enablevmfw
Alexandre Derumier [Fri, 7 Feb 2014 15:22:31 +0000 (16:22 +0100)]
rename ./pvefw enabletaprules -> ./pvefw enablevmfw

by default we enable rules for all the vm net interfaces

./pvefw disablevmfw -vmid 110 [-netid net0]
./pvefw enablevmfw -vmid 110 [-netid net0]

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
10 years agohost firewall support
Alexandre Derumier [Fri, 7 Feb 2014 15:22:30 +0000 (16:22 +0100)]
host firewall support

defaults rules:

/etc/pve/local/host.fw

[IN]

ACCEPT - - - tcp 24007 -   #glusterfs
ACCEPT - - - icmp - -
ACCEPT - - - tcp 22 -
ACCEPT - - - tcp 8006 - #pveproxy
ACCEPT - - - tcp 3128 -  #spiceproxy
ACCEPT - - - tcp 6789 -  #ceph mon
ACCEPT - - - tcp 5900:5910 - #vnc consoles
ACCEPT - - - udp 53 -

[OUT]

ACCEPT - - - icmp - -
ACCEPT - - - tcp 24007 - #glusterfs
ACCEPT - - - tcp 6789 - #ceph mon
ACCEPT - - - tcp 22 -
ACCEPT - - - udp 53 -

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
10 years agoadd src and destination range
Alexandre Derumier [Fri, 7 Feb 2014 15:22:29 +0000 (16:22 +0100)]
add src and destination range

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
10 years agoadd support for multiport
Alexandre Derumier [Fri, 7 Feb 2014 15:22:28 +0000 (16:22 +0100)]
add support for multiport

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
10 years agobasic bridge iptables implementation
Alexandre Derumier [Fri, 7 Feb 2014 15:22:27 +0000 (16:22 +0100)]
basic bridge iptables implementation

./pvefw enabletaprules -netid net0 -vmid 110

./pvefw disabletaprules -netid net0 -vmid 110

sample firewall config file
---------------------------

[IN]

ACCEPT net0 - - tcp 22 -
ACCEPT net0 - - icmp - -
GROUP-securityname1 net0 - - - - -  #apply security group rules
GROUP-securityname2 net0 - - icmp - -  #apply security group rules on icmp only
[OUT]

ACCEPT net0 - - icmp - -
ACCEPT net0 - - tcp 80 -
GROUP-securityname2 net0 - - - - -  #apply security group rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
11 years agoClarify zone names
Michel Loiseleur [Mon, 20 Aug 2012 18:53:51 +0000 (20:53 +0200)]
Clarify zone names

It transforms zones files like this:
#ZONE                          TYPE       OPTIONS
$FW                            firewall
$ZVMBR0                        ipv4
$ZVMBR0EXT:$ZVMBR0             bport
$ZVMBR0VM100:$ZVMBR0          bport
$ZVMBR0VM101:$ZVMBR0          bport

into this:
#ZONE                          TYPE       OPTIONS
$FW                            firewall
$VMBR0                         ipv4
$VMBR0_EXT:$VMBR0              bport
$VMBR0_VM100:$VMBR0            bport
$VMBR0_VM101:$VMBR0            bport

Signed-off-by: Michel Loiseleur <michel@loiseleur.com>
11 years agoparse protocols and ports
Dietmar Maurer [Thu, 16 Aug 2012 10:26:20 +0000 (12:26 +0200)]
parse protocols and ports

11 years agoparse source and destination address lists
Dietmar Maurer [Thu, 16 Aug 2012 09:29:41 +0000 (11:29 +0200)]
parse source and destination address lists

11 years agoimplement workaround for inbound rules with source IP
Dietmar Maurer [Tue, 14 Aug 2012 10:28:37 +0000 (12:28 +0200)]
implement workaround for inbound rules with source IP

11 years agodescribe the problem
Dietmar Maurer [Fri, 10 Aug 2012 11:15:25 +0000 (13:15 +0200)]
describe the problem

11 years agoadd more docu
Dietmar Maurer [Fri, 10 Aug 2012 10:57:37 +0000 (12:57 +0200)]
add more docu

11 years agoimprove docu
Dietmar Maurer [Fri, 10 Aug 2012 10:28:25 +0000 (12:28 +0200)]
improve docu

11 years agocleanups
Dietmar Maurer [Fri, 10 Aug 2012 10:14:33 +0000 (12:14 +0200)]
cleanups

11 years agobetter documentation
Dietmar Maurer [Fri, 10 Aug 2012 09:52:46 +0000 (11:52 +0200)]
better documentation

11 years agouse 'all' instead of 'any'
Dietmar Maurer [Fri, 10 Aug 2012 09:37:01 +0000 (11:37 +0200)]
use 'all' instead of 'any'

Internally, use undef

11 years agouse extra zone for physical devices
Dietmar Maurer [Fri, 10 Aug 2012 09:05:07 +0000 (11:05 +0200)]
use extra zone for physical devices

11 years agouse shell variables for zones
Dietmar Maurer [Thu, 9 Aug 2012 09:57:20 +0000 (11:57 +0200)]
use shell variables for zones

11 years agoadd comments to generated rules file
Dietmar Maurer [Thu, 9 Aug 2012 09:19:49 +0000 (11:19 +0200)]
add comments to generated rules file

11 years agoread in shorewall macros
Dietmar Maurer [Wed, 8 Aug 2012 08:47:42 +0000 (10:47 +0200)]
read in shorewall macros

11 years agorename firewall setup script to 'pvefw'
Dietmar Maurer [Tue, 7 Aug 2012 12:21:12 +0000 (14:21 +0200)]
rename firewall setup script to 'pvefw'

11 years agouse real vm configs, and write to /etc/shorewall
Dietmar Maurer [Tue, 7 Aug 2012 12:19:56 +0000 (14:19 +0200)]
use real vm configs, and write to /etc/shorewall

11 years agogenerate maclist
Dietmar Maurer [Mon, 6 Aug 2012 12:34:40 +0000 (14:34 +0200)]
generate maclist

11 years agoadd original zone names as comments
Dietmar Maurer [Mon, 6 Aug 2012 10:41:38 +0000 (12:41 +0200)]
add original zone names as comments

11 years agocompile simple rules
Dietmar Maurer [Mon, 6 Aug 2012 10:15:48 +0000 (12:15 +0200)]
compile simple rules

11 years agocode cleanup
Dietmar Maurer [Mon, 6 Aug 2012 08:29:33 +0000 (10:29 +0200)]
code cleanup

11 years agowrite real files
Dietmar Maurer [Mon, 6 Aug 2012 08:10:45 +0000 (10:10 +0200)]
write real files

And use short zone names

11 years agogenerate example zone and interfaces file
Dietmar Maurer [Fri, 3 Aug 2012 10:33:20 +0000 (12:33 +0200)]
generate example zone and interfaces file

11 years agostart example code
Dietmar Maurer [Fri, 3 Aug 2012 09:19:45 +0000 (11:19 +0200)]
start example code

11 years agoadd config dir to store firewall configuration examples
Dietmar Maurer [Fri, 3 Aug 2012 09:00:06 +0000 (11:00 +0200)]
add config dir to store firewall configuration examples

11 years agoadd README
Dietmar Maurer [Fri, 3 Aug 2012 08:57:47 +0000 (10:57 +0200)]
add README