Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-02-07 05:57:33 +03:00
Code Releases Activity
830 Commits 6 Branches 0 Tags
Commit Graph

830 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alexandre Derumier
462a655353 rename ./pvefw enabletaprules -> ./pvefw enablevmfw 
by default we enable rules for all the vm net interfaces

./pvefw disablevmfw -vmid 110 [-netid net0]
./pvefw enablevmfw -vmid 110 [-netid net0]

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-02-13 10:56:53 +01:00
Alexandre Derumier
0bd5f13736 host firewall support 
defaults rules:

/etc/pve/local/host.fw

[IN]

ACCEPT - - - tcp 24007 -   #glusterfs
ACCEPT - - - icmp - -
ACCEPT - - - tcp 22 -
ACCEPT - - - tcp 8006 - #pveproxy
ACCEPT - - - tcp 3128 -  #spiceproxy
ACCEPT - - - tcp 6789 -  #ceph mon
ACCEPT - - - tcp 5900:5910 - #vnc consoles
ACCEPT - - - udp 53 -

[OUT]

ACCEPT - - - icmp - -
ACCEPT - - - tcp 24007 - #glusterfs
ACCEPT - - - tcp 6789 - #ceph mon
ACCEPT - - - tcp 22 -
ACCEPT - - - udp 53 -

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-02-13 10:56:53 +01:00
Alexandre Derumier
d6de1dc216 add src and destination range 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-02-13 10:56:53 +01:00
Alexandre Derumier
4cdbb3b707 add support for multiport 
Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-02-13 10:36:53 +01:00
Alexandre Derumier
3a616aa0ae basic bridge iptables implementation 
./pvefw enabletaprules -netid net0 -vmid 110

./pvefw disabletaprules -netid net0 -vmid 110

sample firewall config file
---------------------------

[IN]

ACCEPT net0 - - tcp 22 -
ACCEPT net0 - - icmp - -
GROUP-securityname1 net0 - - - - -  #apply security group rules
GROUP-securityname2 net0 - - icmp - -  #apply security group rules on icmp only
[OUT]

ACCEPT net0 - - icmp - -
ACCEPT net0 - - tcp 80 -
GROUP-securityname2 net0 - - - - -  #apply security group rules

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
 2014-02-13 10:36:38 +01:00
Michel Loiseleur
1b6a0a59ec Clarify zone names 
It transforms zones files like this:
#ZONE                          TYPE       OPTIONS
$FW                            firewall
$ZVMBR0                        ipv4
$ZVMBR0EXT:$ZVMBR0             bport
$ZVMBR0VM100:$ZVMBR0          bport
$ZVMBR0VM101:$ZVMBR0          bport

into this:
#ZONE                          TYPE       OPTIONS
$FW                            firewall
$VMBR0                         ipv4
$VMBR0_EXT:$VMBR0              bport
$VMBR0_VM100:$VMBR0            bport
$VMBR0_VM101:$VMBR0            bport

Signed-off-by: Michel Loiseleur <michel@loiseleur.com>
 2012-08-21 10:41:04 +02:00
Dietmar Maurer
fcba0bebc7 parse protocols and ports 2012-08-16 12:26:20 +02:00
Dietmar Maurer
ecbea048f4 parse source and destination address lists 2012-08-16 11:29:41 +02:00
Dietmar Maurer
b9b06789a8 implement workaround for inbound rules with source IP 2012-08-14 12:28:37 +02:00
Dietmar Maurer
8fb53d8ccf describe the problem 2012-08-10 13:15:25 +02:00
Dietmar Maurer
b486ed3b93 add more docu 2012-08-10 12:57:37 +02:00
Dietmar Maurer
f4bf58dd92 improve docu 2012-08-10 12:28:25 +02:00
Dietmar Maurer
5e1267a55e cleanups 2012-08-10 12:14:33 +02:00
Dietmar Maurer
ec6b110036 better documentation 2012-08-10 11:52:46 +02:00
Dietmar Maurer
9a4644fa55 use 'all' instead of 'any' 
Internally, use undef
 2012-08-10 11:37:01 +02:00
Dietmar Maurer
8cebfa6f27 use extra zone for physical devices 2012-08-10 11:05:07 +02:00
Dietmar Maurer
a8195f4f42 use shell variables for zones 2012-08-09 11:57:20 +02:00
Dietmar Maurer
78db587271 add comments to generated rules file 2012-08-09 11:19:49 +02:00
Dietmar Maurer
9aab3127bd read in shorewall macros 2012-08-09 11:14:11 +02:00
Dietmar Maurer
3554436047 rename firewall setup script to 'pvefw' 2012-08-07 14:21:12 +02:00
Dietmar Maurer
80bfe1ffd8 use real vm configs, and write to /etc/shorewall 2012-08-07 14:19:56 +02:00
Dietmar Maurer
026a646624 generate maclist 2012-08-06 14:34:40 +02:00
Dietmar Maurer
f6846fbfa9 add original zone names as comments 2012-08-06 12:41:38 +02:00
Dietmar Maurer
dddd941398 compile simple rules 2012-08-06 12:15:48 +02:00
Dietmar Maurer
35081236f3 code cleanup 2012-08-06 10:29:33 +02:00
Dietmar Maurer
f789653a8b write real files 
And use short zone names
 2012-08-06 10:10:45 +02:00
Dietmar Maurer
886aba9c18 generate example zone and interfaces file 2012-08-03 12:33:20 +02:00
Dietmar Maurer
b6360c3ff4 start example code 2012-08-03 11:19:45 +02:00
Dietmar Maurer
3e66fc0db0 add config dir to store firewall configuration examples 2012-08-03 11:00:06 +02:00
Dietmar Maurer
6ef37bfd64 add README 2012-08-03 10:57:47 +02:00