Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-06 17:17:59 +03:00
Code Releases Activity
49d2d028e5
pve-firewall/debian
History
Thomas Lamprecht 4339ef1526 bump version to 5.0.7 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2024-04-30 10:30:25 +02:00
..
example compile ebtables rules 2018-03-28 11:35:06 +02:00
source buildsys: add dsc target 2019-03-31 15:43:40 +02:00
changelog bump version to 5.0.7 2024-04-30 10:30:25 +02:00
control d/control: add missing anyevent dependency 2023-06-07 15:13:38 +02:00
copyright assemble debian package 2014-03-03 09:42:18 +01:00
dirs add debian/dirs file to install /var/lib/pve-firewall 2014-11-28 11:40:09 +01:00
docs debian: run wrap-and-sort -abt 2021-05-12 20:31:52 +02:00
postinst debian: remove duplicate dh_systemd_enable code 2018-03-08 13:51:05 +01:00
pve-firewall.default cleanup firewall service implementation 2014-05-16 10:19:38 +02:00
pve-firewall.logrotate add simple nflog daemon 2014-03-13 13:34:23 +01:00
pve-firewall.service pve-firewall.service: update-alternative ip-/eb- tables to legacy versions 2019-06-24 20:36:10 +02:00
pve-firewall.triggers use noawait trigers for pve-api-updates 2015-06-01 12:32:17 +02:00
pvefw-logger.service install pvefw-logger.service in multi-user.target 2021-05-12 20:31:52 +02:00
README remove allow_bridge_route setting 2014-05-06 11:12:21 +02:00
rules d/rules: cleanup systemd overrides 2021-05-24 11:16:11 +02:00

README 

Experimental software, only used for testing!
=============================================


Quick Intro
===========

VM firewall rules are read from:

 /etc/pve/firewall/<VMID>.fw

Cluster wide rules and security group are read from:
 
 /etc/pve/firewall/cluster.fw

Host firewall rules are read from:

  /etc/pve/local/host.fw

You can find examples in the example/ dir


Use the following command to mange the firewall:

To test the firewall configuration:

./pvefw compile

To start or update the firewall:

./pvefw start

To update the firewall rules (the firewall is not started if it
is not already running):

./pvefw update

To stop the firewall:

./pvefw stop


Implementation details
======================

We write iptables rules directly, an generate the following chains 
as entry points in the 'forward' table:

PVEFW-INPUT
PVEFW-OUTPUT
PVEFW-FORWARD

We do not touch other (user defined) chains.

Each VM can have its own firewall definition file in 

/etc/pve/firewall/<VMID>.fw

That file has a section [RULES] to define firewall rules.

Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

* TYPE: IN|OUT|GROUP 
* ACTION: action or macro
* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
* SOURCE: source IP address, or '-' for any source
* DEST: dest IP address, or '-' for any destination address
* PROTO: see /etc/protocols
* D-PORT: destination port
* S-PORT: source port

A rule for inbound traffic looks like this:

IN SSH(ACCEPT) net0

Outbound rules looks like:

OUT SSH(ACCEPT)

Problems
===================

There are a number of restrictions when using iptables to filter
bridged traffic. The physdev match feature does not work correctly
when traffic is routed from host to bridge:

  * when a packet being sent through a bridge entered the firewall on 
    another interface and was being forwarded to the bridge.

  * when a packet originating on the firewall itself is being sent through 
    a bridge.

We use a second bridge for each interface to avoid above problem.

eth0-->vmbr0<--tapXiY (non firewalled tap)
            <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)