pve-firewall.git
6 years agofix comment
Dietmar Maurer [Tue, 4 Mar 2014 09:23:07 +0000 (10:23 +0100)]
fix comment

6 years agoremove unnecessary rule
Dietmar Maurer [Tue, 4 Mar 2014 09:19:02 +0000 (10:19 +0100)]
remove unnecessary rule

6 years agos/enablehostfw/enable_host_firewall/
Dietmar Maurer [Tue, 4 Mar 2014 09:09:59 +0000 (10:09 +0100)]
s/enablehostfw/enable_host_firewall/

6 years agomake sure syncookies are enabled
Dietmar Maurer [Tue, 4 Mar 2014 08:56:34 +0000 (09:56 +0100)]
make sure syncookies are enabled

6 years agouse PVE::ProcFSTools::write_proc_entry instead of system("echo ...")
Dietmar Maurer [Tue, 4 Mar 2014 08:27:26 +0000 (09:27 +0100)]
use PVE::ProcFSTools::write_proc_entry instead of system("echo ...")

6 years agocleanup ruleset_generate_rule()
Dietmar Maurer [Tue, 4 Mar 2014 08:19:08 +0000 (09:19 +0100)]
cleanup ruleset_generate_rule()

6 years agoimprove clean target
Dietmar Maurer [Tue, 4 Mar 2014 08:07:23 +0000 (09:07 +0100)]
improve clean target

delete emacs tmp files in all subdirs

6 years agoremove stale file
Dietmar Maurer [Tue, 4 Mar 2014 08:04:37 +0000 (09:04 +0100)]
remove stale file

6 years agomerge IN/OUT section into RULES section
Dietmar Maurer [Mon, 3 Mar 2014 14:19:38 +0000 (15:19 +0100)]
merge IN/OUT section into RULES section

6 years agoassemble debian package
Dietmar Maurer [Mon, 3 Mar 2014 08:40:04 +0000 (09:40 +0100)]
assemble debian package

6 years agoimplement log_level_in and log_level_out options
Dietmar Maurer [Fri, 28 Feb 2014 11:47:34 +0000 (12:47 +0100)]
implement log_level_in and log_level_out options

6 years agoimplement log level options
Dietmar Maurer [Fri, 28 Feb 2014 11:25:18 +0000 (12:25 +0100)]
implement log level options

6 years agouse a file to store firewall status persistently.
Dietmar Maurer [Fri, 28 Feb 2014 09:50:44 +0000 (10:50 +0100)]
use a file to store firewall status persistently.

Start/stop saves state into a file. So the firewall remembers that status
even if the host is rebooted.

Also added helpers to update firewall rules and get current status.

6 years agoignoreZ source/destination port if no protocol specified
Dietmar Maurer [Fri, 28 Feb 2014 09:36:28 +0000 (10:36 +0100)]
ignoreZ source/destination port if no protocol specified

6 years agouse defined() to check fot undefined value
Dietmar Maurer [Thu, 27 Feb 2014 11:54:11 +0000 (12:54 +0100)]
use defined() to check fot undefined value

6 years agoimprove multiport rule generator
Dietmar Maurer [Thu, 27 Feb 2014 11:52:05 +0000 (12:52 +0100)]
improve multiport rule generator

It is not allowed to use --sports and --dports together!

6 years agofix Ping macro
Dietmar Maurer [Thu, 27 Feb 2014 11:40:37 +0000 (12:40 +0100)]
fix Ping macro

6 years agoimprove example
Dietmar Maurer [Thu, 27 Feb 2014 11:12:45 +0000 (12:12 +0100)]
improve example

6 years agoallow to disable single rules, and add ability to add comments
Dietmar Maurer [Thu, 27 Feb 2014 10:15:09 +0000 (11:15 +0100)]
allow to disable single rules, and add ability to add comments

6 years agoadd 'dhcp' option (enabled by default)
Dietmar Maurer [Thu, 27 Feb 2014 08:40:23 +0000 (09:40 +0100)]
add 'dhcp' option (enabled by default)

6 years agouse PVEFW-reject instead of REJECT
Dietmar Maurer [Thu, 27 Feb 2014 08:37:17 +0000 (09:37 +0100)]
use PVEFW-reject instead of REJECT

6 years agoaccept traffic to unmanaged bridge ports
Dietmar Maurer [Thu, 27 Feb 2014 07:54:11 +0000 (08:54 +0100)]
accept traffic to unmanaged bridge ports

6 years agocorrectly apply macros
Dietmar Maurer [Thu, 27 Feb 2014 06:23:42 +0000 (07:23 +0100)]
correctly apply macros

Allow to set additional parameters if they do not conflict with macros settings.

6 years agoimplement nosmurfs options (enabled by default)
Dietmar Maurer [Wed, 26 Feb 2014 13:29:53 +0000 (14:29 +0100)]
implement nosmurfs options (enabled by default)

6 years agoimplement option 'tcpflags' to log illegal combinations of TCP flags
Dietmar Maurer [Wed, 26 Feb 2014 12:59:25 +0000 (13:59 +0100)]
implement option 'tcpflags' to log illegal combinations of TCP flags

6 years agomake mac address filtering optional (default enabled)
Dietmar Maurer [Wed, 26 Feb 2014 12:42:48 +0000 (13:42 +0100)]
make mac address filtering optional (default enabled)

6 years agouse chains from previous commit to reduce logging
Dietmar Maurer [Wed, 26 Feb 2014 12:00:43 +0000 (13:00 +0100)]
use chains from previous commit to reduce logging

6 years agoadd some useful chains
Dietmar Maurer [Wed, 26 Feb 2014 11:43:04 +0000 (12:43 +0100)]
add some useful chains

Those chains implement basically the same rules as related shorewall action.

6 years agoadd a way to define some default chains
Dietmar Maurer [Wed, 26 Feb 2014 11:40:53 +0000 (12:40 +0100)]
add a way to define some default chains

6 years agofix multiport rules and add icmp type names
Dietmar Maurer [Wed, 26 Feb 2014 11:35:05 +0000 (12:35 +0100)]
fix multiport rules and add icmp type names

Multiport module needs --dports/--sports (instead of --dport/--sport).
Also, a single port Range does not require --multiport.

Also added the ability to use icmp type name as 'dport' when proto is icmp.

6 years agocleanups
Dietmar Maurer [Wed, 26 Feb 2014 09:02:39 +0000 (10:02 +0100)]
cleanups

6 years agoalways use PVEFW-SET-ACCEPT-MARK for OUT chain
Dietmar Maurer [Wed, 26 Feb 2014 06:22:02 +0000 (07:22 +0100)]
always use PVEFW-SET-ACCEPT-MARK for OUT chain

That way we can re-use chains for the host firewall.

6 years agobridge rules : -j ACCEPT for physical interfaces
Alexandre Derumier [Tue, 25 Feb 2014 12:47:52 +0000 (13:47 +0100)]
bridge rules : -j ACCEPT for physical interfaces

We need to accept traffic at the end of bridge rules for outgoing packets from tap->ethX,
as we don't do ACCEPT in tap-out rules.

IN=vmbr0 OUT=vmbr0 PHYSIN=tap110i0 PHYSOUT=eth0

-A PVEFW-FORWARD -o vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW
-A PVEFW-FORWARD -i vmbr0 -m physdev --physdev-is-bridged -j vmbr0-FW

-A vmbr0-FW -m physdev --physdev-is-in --physdev-is-bridged -j vmbr0-OUT
-A vmbr0-FW -m physdev --physdev-is-out --physdev-is-bridged -j vmbr0-IN
-A vmbr0-FW -j ACCEPT

-A PVEFW-FORWARD -o vmbr0 -j DROP
-A PVEFW-FORWARD -i vmbr0 -j DROP

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agouse RETURN instead ACCEPT for tap-out rules
Alexandre Derumier [Tue, 25 Feb 2014 12:24:06 +0000 (13:24 +0100)]
use RETURN instead ACCEPT for tap-out rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoimplement VM policy option
Dietmar Maurer [Tue, 25 Feb 2014 11:16:33 +0000 (12:16 +0100)]
implement VM policy option

6 years agoimplement 'enable' option
Dietmar Maurer [Tue, 25 Feb 2014 10:54:38 +0000 (11:54 +0100)]
implement 'enable' option

And pass whole VM firewall config to generate_tap_rules_direction. That way we
have acces to {options} section.

6 years agocompile: use verbose output when started from CLI
Dietmar Maurer [Tue, 25 Feb 2014 10:42:32 +0000 (11:42 +0100)]
compile: use verbose output when started from CLI

6 years agorename chain $bridge to $bridge-FW
Dietmar Maurer [Tue, 25 Feb 2014 10:29:22 +0000 (11:29 +0100)]
rename chain $bridge to $bridge-FW

and fix the activation bug.

6 years agooptimize bridge chains
Alexandre Derumier [Tue, 25 Feb 2014 08:44:54 +0000 (09:44 +0100)]
optimize bridge chains

fixme : I have this error "unable to update chain vmbrX".

But if I remove this check, the rules applying fine.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoparse_port_name_number_or_range fix range check
Alexandre Derumier [Tue, 25 Feb 2014 08:44:53 +0000 (09:44 +0100)]
parse_port_name_number_or_range fix range check

for port range  a:b,

we need to check that b > a

this kind of range is invalid

80:22
80:ssh
http:ssh

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agodo not delete PVEFW-INPUT, PVEFW-OUTPUT and PVEFW-FORWARD chain.
Dietmar Maurer [Fri, 21 Feb 2014 10:01:17 +0000 (11:01 +0100)]
do not delete PVEFW-INPUT, PVEFW-OUTPUT and PVEFW-FORWARD chain.

6 years agoimplement simple option parser
Dietmar Maurer [Fri, 21 Feb 2014 09:39:13 +0000 (10:39 +0100)]
implement simple option parser

6 years agouse conntrack instead of state
Dietmar Maurer [Thu, 20 Feb 2014 12:14:58 +0000 (13:14 +0100)]
use conntrack instead of state

-m state --state is deprecated

6 years agoallow traffic from lo (PVEFW-INPUT)
Dietmar Maurer [Thu, 20 Feb 2014 11:39:38 +0000 (12:39 +0100)]
allow traffic from lo (PVEFW-INPUT)

6 years agodefine more macros (converted most shorewall macros)
Dietmar Maurer [Thu, 20 Feb 2014 10:35:51 +0000 (11:35 +0100)]
define more macros (converted most shorewall macros)

6 years agouse $rule->{dest} instead of $rule->{destination}
Dietmar Maurer [Thu, 20 Feb 2014 10:06:55 +0000 (11:06 +0100)]
use $rule->{dest} instead of $rule->{destination}

6 years agoimplement macros
Dietmar Maurer [Thu, 20 Feb 2014 08:02:17 +0000 (09:02 +0100)]
implement macros

6 years agoonly use --mark for OUT chain
Dietmar Maurer [Wed, 19 Feb 2014 16:01:11 +0000 (17:01 +0100)]
only use --mark for OUT chain

6 years agojump to ACCEPT for IN rules
Dietmar Maurer [Wed, 19 Feb 2014 10:24:49 +0000 (11:24 +0100)]
jump to ACCEPT for IN rules

6 years agoimprove parser
Dietmar Maurer [Wed, 19 Feb 2014 09:59:37 +0000 (10:59 +0100)]
improve parser

Also avoid that we read the group file multiple times.
group file does not need to specify interfaces.

6 years agouse accept mark for security groups
Dietmar Maurer [Wed, 19 Feb 2014 07:30:15 +0000 (08:30 +0100)]
use accept mark for security groups

6 years agocorrectly remove stale chains
Dietmar Maurer [Wed, 19 Feb 2014 07:26:22 +0000 (08:26 +0100)]
correctly remove stale chains

6 years agopass $ruleset instead of $rule
Dietmar Maurer [Tue, 18 Feb 2014 15:01:29 +0000 (16:01 +0100)]
pass $ruleset instead of $rule

6 years agocheck chain name length (max 28 chars)
Dietmar Maurer [Tue, 18 Feb 2014 11:40:02 +0000 (12:40 +0100)]
check chain name length (max 28 chars)

6 years agouse --comment to store SHA1 signature
Dietmar Maurer [Tue, 18 Feb 2014 11:27:03 +0000 (12:27 +0100)]
use --comment to store SHA1 signature

6 years agosplit compile from apply
Dietmar Maurer [Tue, 18 Feb 2014 11:15:26 +0000 (12:15 +0100)]
split compile from apply

And renamed compile_and_start into apply_ruleset.

6 years agoavoid perl warning
Dietmar Maurer [Tue, 18 Feb 2014 11:08:19 +0000 (12:08 +0100)]
avoid perl warning

6 years agoenable proc/sys/net/bridge/bridge-nf-call-iptables
Dietmar Maurer [Tue, 18 Feb 2014 11:07:40 +0000 (12:07 +0100)]
enable proc/sys/net/bridge/bridge-nf-call-iptables

6 years agoadd MAC filter
Dietmar Maurer [Tue, 18 Feb 2014 10:59:01 +0000 (11:59 +0100)]
add MAC filter

6 years agocleanup chain names
Dietmar Maurer [Tue, 18 Feb 2014 09:59:21 +0000 (10:59 +0100)]
cleanup chain names

Try to use PVEFW prefix. I do not add that prefix to chains containing device names,
because chain name lenght is limiteZd.

6 years agotest if BRIDGEFW-OUT and BRIDGEFW-IN exist
Alexandre Derumier [Mon, 17 Feb 2014 12:50:26 +0000 (13:50 +0100)]
test if BRIDGEFW-OUT and BRIDGEFW-IN exist

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agosimplify firewall and use MD5 hash to detect changes
Dietmar Maurer [Mon, 17 Feb 2014 12:05:39 +0000 (13:05 +0100)]
simplify firewall and use MD5 hash to detect changes

6 years agoconsider host-IN/OUT chains in iptables_get_chains
Dietmar Maurer [Mon, 17 Feb 2014 06:17:33 +0000 (07:17 +0100)]
consider host-IN/OUT chains in iptables_get_chains

6 years agoconsider security group chains in iptables_get_chains
Dietmar Maurer [Mon, 17 Feb 2014 06:13:27 +0000 (07:13 +0100)]
consider security group chains in iptables_get_chains

6 years agoimplement stop command using new iptables_get_chains
Dietmar Maurer [Fri, 14 Feb 2014 14:02:41 +0000 (15:02 +0100)]
implement stop command using new iptables_get_chains

6 years agoexperimental code to read existing chains and compute SHA1 checksum
Dietmar Maurer [Fri, 14 Feb 2014 13:22:50 +0000 (14:22 +0100)]
experimental code to read existing chains and compute SHA1 checksum

6 years agofix iptables-restore - correctly add newline after COMMIT
Dietmar Maurer [Fri, 14 Feb 2014 11:41:20 +0000 (12:41 +0100)]
fix iptables-restore - correctly add newline after COMMIT

Also print $cmdlist on error. Just for debugging.

6 years agoremove shorewall rule compiler
Dietmar Maurer [Fri, 14 Feb 2014 10:27:33 +0000 (11:27 +0100)]
remove shorewall rule compiler

6 years agouse input parameter to feed iptables-restore
Dietmar Maurer [Thu, 13 Feb 2014 11:37:50 +0000 (12:37 +0100)]
use input parameter to feed iptables-restore

6 years agoimplement locking
Dietmar Maurer [Thu, 13 Feb 2014 11:33:22 +0000 (12:33 +0100)]
implement locking

6 years agoremove shorewall specific commands
Dietmar Maurer [Thu, 13 Feb 2014 09:55:48 +0000 (10:55 +0100)]
remove shorewall specific commands

6 years agoadd support for security groups
Alexandre Derumier [Fri, 7 Feb 2014 15:22:32 +0000 (16:22 +0100)]
add support for security groups

pvefw disablegroup -securitygroup <string> [OPTIONS]
pvefw enablegroup -securitygroup <string> [OPTIONS]

(pool permissions is not yet implemented)

/etc/pve/firewall/groups.fw

[IN:group1]

ACCEPT - - - tcp 22 -
ACCEPT - - - icmp - -

[OUT:group1]

ACCEPT - - - tcp 80 -
ACCEPT - - - icmp - -

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agorename ./pvefw enabletaprules -> ./pvefw enablevmfw
Alexandre Derumier [Fri, 7 Feb 2014 15:22:31 +0000 (16:22 +0100)]
rename ./pvefw enabletaprules -> ./pvefw enablevmfw

by default we enable rules for all the vm net interfaces

./pvefw disablevmfw -vmid 110 [-netid net0]
./pvefw enablevmfw -vmid 110 [-netid net0]

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agohost firewall support
Alexandre Derumier [Fri, 7 Feb 2014 15:22:30 +0000 (16:22 +0100)]
host firewall support

defaults rules:

/etc/pve/local/host.fw

[IN]

ACCEPT - - - tcp 24007 -   #glusterfs
ACCEPT - - - icmp - -
ACCEPT - - - tcp 22 -
ACCEPT - - - tcp 8006 - #pveproxy
ACCEPT - - - tcp 3128 -  #spiceproxy
ACCEPT - - - tcp 6789 -  #ceph mon
ACCEPT - - - tcp 5900:5910 - #vnc consoles
ACCEPT - - - udp 53 -

[OUT]

ACCEPT - - - icmp - -
ACCEPT - - - tcp 24007 - #glusterfs
ACCEPT - - - tcp 6789 - #ceph mon
ACCEPT - - - tcp 22 -
ACCEPT - - - udp 53 -

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoadd src and destination range
Alexandre Derumier [Fri, 7 Feb 2014 15:22:29 +0000 (16:22 +0100)]
add src and destination range

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agoadd support for multiport
Alexandre Derumier [Fri, 7 Feb 2014 15:22:28 +0000 (16:22 +0100)]
add support for multiport

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
6 years agobasic bridge iptables implementation
Alexandre Derumier [Fri, 7 Feb 2014 15:22:27 +0000 (16:22 +0100)]
basic bridge iptables implementation

./pvefw enabletaprules -netid net0 -vmid 110

./pvefw disabletaprules -netid net0 -vmid 110

sample firewall config file
---------------------------

[IN]

ACCEPT net0 - - tcp 22 -
ACCEPT net0 - - icmp - -
GROUP-securityname1 net0 - - - - -  #apply security group rules
GROUP-securityname2 net0 - - icmp - -  #apply security group rules on icmp only
[OUT]

ACCEPT net0 - - icmp - -
ACCEPT net0 - - tcp 80 -
GROUP-securityname2 net0 - - - - -  #apply security group rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
7 years agoClarify zone names
Michel Loiseleur [Mon, 20 Aug 2012 18:53:51 +0000 (20:53 +0200)]
Clarify zone names

It transforms zones files like this:
#ZONE                          TYPE       OPTIONS
$FW                            firewall
$ZVMBR0                        ipv4
$ZVMBR0EXT:$ZVMBR0             bport
$ZVMBR0VM100:$ZVMBR0          bport
$ZVMBR0VM101:$ZVMBR0          bport

into this:
#ZONE                          TYPE       OPTIONS
$FW                            firewall
$VMBR0                         ipv4
$VMBR0_EXT:$VMBR0              bport
$VMBR0_VM100:$VMBR0            bport
$VMBR0_VM101:$VMBR0            bport

Signed-off-by: Michel Loiseleur <michel@loiseleur.com>
7 years agoparse protocols and ports
Dietmar Maurer [Thu, 16 Aug 2012 10:26:20 +0000 (12:26 +0200)]
parse protocols and ports

7 years agoparse source and destination address lists
Dietmar Maurer [Thu, 16 Aug 2012 09:29:41 +0000 (11:29 +0200)]
parse source and destination address lists

7 years agoimplement workaround for inbound rules with source IP
Dietmar Maurer [Tue, 14 Aug 2012 10:28:37 +0000 (12:28 +0200)]
implement workaround for inbound rules with source IP

7 years agodescribe the problem
Dietmar Maurer [Fri, 10 Aug 2012 11:15:25 +0000 (13:15 +0200)]
describe the problem

7 years agoadd more docu
Dietmar Maurer [Fri, 10 Aug 2012 10:57:37 +0000 (12:57 +0200)]
add more docu

7 years agoimprove docu
Dietmar Maurer [Fri, 10 Aug 2012 10:28:25 +0000 (12:28 +0200)]
improve docu

7 years agocleanups
Dietmar Maurer [Fri, 10 Aug 2012 10:14:33 +0000 (12:14 +0200)]
cleanups

7 years agobetter documentation
Dietmar Maurer [Fri, 10 Aug 2012 09:52:46 +0000 (11:52 +0200)]
better documentation

7 years agouse 'all' instead of 'any'
Dietmar Maurer [Fri, 10 Aug 2012 09:37:01 +0000 (11:37 +0200)]
use 'all' instead of 'any'

Internally, use undef

7 years agouse extra zone for physical devices
Dietmar Maurer [Fri, 10 Aug 2012 09:05:07 +0000 (11:05 +0200)]
use extra zone for physical devices

7 years agouse shell variables for zones
Dietmar Maurer [Thu, 9 Aug 2012 09:57:20 +0000 (11:57 +0200)]
use shell variables for zones

7 years agoadd comments to generated rules file
Dietmar Maurer [Thu, 9 Aug 2012 09:19:49 +0000 (11:19 +0200)]
add comments to generated rules file

7 years agoread in shorewall macros
Dietmar Maurer [Wed, 8 Aug 2012 08:47:42 +0000 (10:47 +0200)]
read in shorewall macros

7 years agorename firewall setup script to 'pvefw'
Dietmar Maurer [Tue, 7 Aug 2012 12:21:12 +0000 (14:21 +0200)]
rename firewall setup script to 'pvefw'

7 years agouse real vm configs, and write to /etc/shorewall
Dietmar Maurer [Tue, 7 Aug 2012 12:19:56 +0000 (14:19 +0200)]
use real vm configs, and write to /etc/shorewall

7 years agogenerate maclist
Dietmar Maurer [Mon, 6 Aug 2012 12:34:40 +0000 (14:34 +0200)]
generate maclist

7 years agoadd original zone names as comments
Dietmar Maurer [Mon, 6 Aug 2012 10:41:38 +0000 (12:41 +0200)]
add original zone names as comments

7 years agocompile simple rules
Dietmar Maurer [Mon, 6 Aug 2012 10:15:48 +0000 (12:15 +0200)]
compile simple rules

7 years agocode cleanup
Dietmar Maurer [Mon, 6 Aug 2012 08:29:33 +0000 (10:29 +0200)]
code cleanup

7 years agowrite real files
Dietmar Maurer [Mon, 6 Aug 2012 08:10:45 +0000 (10:10 +0200)]
write real files

And use short zone names

7 years agogenerate example zone and interfaces file
Dietmar Maurer [Fri, 3 Aug 2012 10:33:20 +0000 (12:33 +0200)]
generate example zone and interfaces file

7 years agostart example code
Dietmar Maurer [Fri, 3 Aug 2012 09:19:45 +0000 (11:19 +0200)]
start example code