Proxmox/pve-docs
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-docs.git synced 2025-03-19 18:50:06 +03:00
Code Releases Activity

firewall: more complete description of the ipfilter-net* sets

Browse Source
This commit is contained in:
Wolfgang Bumiller 2016-03-25 09:28:10 +01:00 committed by Dietmar Maurer
parent 58b16f713f
commit a34d23e8cc
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pve-firewall.adoc
View File

@ -263,10 +263,21 @@ Traffic from these ips is dropped by every host's and VM's firewall.
213.87.123.0/24
----
Standard IP set 'ipfilter'
^^^^^^^^^^^^^^^^^^^^^^^^^^
Standard IP set 'ipfilter-net*'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This ipset is used to prevent ip spoofing
These filters belong to a VM's network interface and are mainly used to prevent
IP spoofing. If such a set exists for an interface then any outgoing traffic
with a source IP not matching its interface's corresponding ipfilter set will
be dropped.
For containers with configured IP addresses these sets, if they exist (or are
activated via the general `IP Filter` option in the VM's firewall's 'options'
tab), implicitly contain the associated IP addresses.
For both virtual machines and containers they also implicitly contain the
standard MAC-derived IPv6 link-local address in order to allow the neighbor
discovery protocol to work.
----
/etc/pve/firewall/<VMID>.fw