pve-firewall/debian/README

Experimental software, only used for testing!
=============================================


Quick Intro
===========

VM firewall rules are read from:

 /etc/pve/firewall/<VMID>.fw

Cluster wide rules and security group are read from:
 
 /etc/pve/firewall/cluster.fw

Host firewall rules are read from:

  /etc/pve/local/host.fw

You can find examples in the example/ dir


Use the following command to mange the firewall:

To test the firewall configuration:

./pvefw compile

To start or update the firewall:

./pvefw start

To update the firewall rules (the firewall is not started if it
is not already running):

./pvefw update

To stop the firewall:

./pvefw stop


Implementation details
======================

We write iptables rules directly, an generate the following chains 
as entry points in the 'forward' table:

PVEFW-INPUT
PVEFW-OUTPUT
PVEFW-FORWARD

We do not touch other (user defined) chains.

Each VM can have its own firewall definition file in 

/etc/pve/firewall/<VMID>.fw

That file has a section [RULES] to define firewall rules.

Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

* TYPE: IN|OUT|GROUP 
* ACTION: action or macro
* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
* SOURCE: source IP address, or '-' for any source
* DEST: dest IP address, or '-' for any destination address
* PROTO: see /etc/protocols
* D-PORT: destination port
* S-PORT: source port

A rule for inbound traffic looks like this:

IN SSH(ACCEPT) net0

Outbound rules looks like:

OUT SSH(ACCEPT)

Problems
===================

There are a number of restrictions when using iptables to filter
bridged traffic. The physdev match feature does not work correctly
when traffic is routed from host to bridge:

  * when a packet being sent through a bridge entered the firewall on 
    another interface and was being forwarded to the bridge.

  * when a packet originating on the firewall itself is being sent through 
    a bridge.

We use a second bridge for each interface to avoid above problem.

eth0-->vmbr0<--tapXiY (non firewalled tap)
            <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)
improve docu 2012-08-10 14:28:25 +04:00			`Experimental software, only used for testing!`
			`=============================================`
better documentation 2012-08-10 13:52:46 +04:00
cleanups 2012-08-10 14:14:33 +04:00
improve docu 2012-08-10 14:28:25 +04:00			`Quick Intro`
			`===========`
cleanups 2012-08-10 14:14:33 +04:00
fix README 2014-04-18 12:43:30 +04:00			`VM firewall rules are read from:`
better documentation 2012-08-10 13:52:46 +04:00
fix README 2014-04-18 12:43:30 +04:00			`/etc/pve/firewall/<VMID>.fw`
update documentation 2014-03-06 14:31:12 +04:00
fix README 2014-04-18 12:43:30 +04:00			`Cluster wide rules and security group are read from:`

			`/etc/pve/firewall/cluster.fw`

			`Host firewall rules are read from:`

			`/etc/pve/local/host.fw`
update documentation 2014-03-06 14:31:12 +04:00
better documentation 2012-08-10 13:52:46 +04:00			`You can find examples in the example/ dir`

cleanups 2012-08-10 14:14:33 +04:00
update documentation 2014-03-06 14:31:12 +04:00			`Use the following command to mange the firewall:`

			`To test the firewall configuration:`
better documentation 2012-08-10 13:52:46 +04:00
			`./pvefw compile`

update documentation 2014-03-06 14:31:12 +04:00			`To start or update the firewall:`
cleanups 2012-08-10 14:14:33 +04:00
			`./pvefw start`

update documentation 2014-03-06 14:31:12 +04:00			`To update the firewall rules (the firewall is not started if it`
			`is not already running):`
cleanups 2012-08-10 14:14:33 +04:00
update documentation 2014-03-06 14:31:12 +04:00			`./pvefw update`
cleanups 2012-08-10 14:14:33 +04:00
			`To stop the firewall:`

			`./pvefw stop`

improve docu 2012-08-10 14:28:25 +04:00
			`Implementation details`
			`======================`

update documentation 2014-03-06 14:31:12 +04:00			`We write iptables rules directly, an generate the following chains`
			`as entry points in the 'forward' table:`

			`PVEFW-INPUT`
			`PVEFW-OUTPUT`
			`PVEFW-FORWARD`

			`We do not touch other (user defined) chains.`
improve docu 2012-08-10 14:28:25 +04:00
			`Each VM can have its own firewall definition file in`

			`/etc/pve/firewall/<VMID>.fw`

update documentation 2014-03-06 14:31:12 +04:00			`That file has a section [RULES] to define firewall rules.`
improve docu 2012-08-10 14:28:25 +04:00
update documentation 2014-03-06 14:31:12 +04:00			`Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT`
improve docu 2012-08-10 14:28:25 +04:00
update documentation 2014-03-06 14:31:12 +04:00			`* TYPE: IN\|OUT\|GROUP`
			`* ACTION: action or macro`
improve docu 2012-08-10 14:28:25 +04:00			`* IFACE: vm network interface (net0 - net5), or '-' for all interfaces`
			`* SOURCE: source IP address, or '-' for any source`
			`* DEST: dest IP address, or '-' for any destination address`
			`* PROTO: see /etc/protocols`
			`* D-PORT: destination port`
			`* S-PORT: source port`

update documentation 2014-03-06 14:31:12 +04:00			`A rule for inbound traffic looks like this:`
add more docu 2012-08-10 14:57:37 +04:00
update documentation 2014-03-06 14:31:12 +04:00			`IN SSH(ACCEPT) net0`
add more docu 2012-08-10 14:57:37 +04:00
			`Outbound rules looks like:`

update documentation 2014-03-06 14:31:12 +04:00			`OUT SSH(ACCEPT)`
add more docu 2012-08-10 14:57:37 +04:00
implement workaround for inbound rules with source IP 2012-08-14 14:28:37 +04:00			`Problems`
describe the problem 2012-08-10 15:15:25 +04:00			`===================`

update documentation 2014-03-06 14:31:12 +04:00			`There are a number of restrictions when using iptables to filter`
			`bridged traffic. The physdev match feature does not work correctly`
			`when traffic is routed from host to bridge:`
describe the problem 2012-08-10 15:15:25 +04:00
remove allow_bridge_route setting Not needed for new network model with additional bridge. 2014-05-06 13:12:21 +04:00			`* when a packet being sent through a bridge entered the firewall on`
			`another interface and was being forwarded to the bridge.`
describe the problem 2012-08-10 15:15:25 +04:00
remove allow_bridge_route setting Not needed for new network model with additional bridge. 2014-05-06 13:12:21 +04:00			`* when a packet originating on the firewall itself is being sent through`
			`a bridge.`
describe the problem 2012-08-10 15:15:25 +04:00
remove allow_bridge_route setting Not needed for new network model with additional bridge. 2014-05-06 13:12:21 +04:00			`We use a second bridge for each interface to avoid above problem.`
add ifupdown helper to create veth devices plugged into bridges 2014-03-06 16:15:07 +04:00
remove allow_bridge_route setting Not needed for new network model with additional bridge. 2014-05-06 13:12:21 +04:00			`eth0-->vmbr0<--tapXiY (non firewalled tap)`
			`<--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)`