Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-21 22:03:52 +03:00
Code Releases Activity
pve-firewall/debian
History
Thomas Lamprecht bbf77725f2 bump version to 3.0-20 
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2019-04-19 05:11:27 +00:00
..
example
compile ebtables rules
2018-03-28 11:35:06 +02:00
source
buildsys: add dsc target
2019-03-31 15:43:40 +02:00
changelog
bump version to 3.0-20
2019-04-19 05:11:27 +00:00
compat
debian: switch to compat 9
2018-03-08 13:50:29 +01:00
control
buildsys: add dsc target
2019-03-31 15:43:40 +02:00
copyright
assemble debian package
2014-03-03 09:42:18 +01:00
dirs
add debian/dirs file to install /var/lib/pve-firewall
2014-11-28 11:40:09 +01:00
docs
add README and example to debian package
2014-04-18 10:50:15 +02:00
postinst
debian: remove duplicate dh_systemd_enable code
2018-03-08 13:51:05 +01:00
pve-firewall.default
cleanup firewall service implementation
2014-05-16 10:19:38 +02:00
pve-firewall.logrotate
add simple nflog daemon
2014-03-13 13:34:23 +01:00
pve-firewall.service
pve-firewall.service: WantedBy=multi-user.target
2015-11-27 10:50:42 +01:00
pve-firewall.triggers
use noawait trigers for pve-api-updates
2015-06-01 12:32:17 +02:00
pvefw-logger.service
add PIDFile option for systemd services
2015-03-04 06:51:08 +01:00
README
remove allow_bridge_route setting
2014-05-06 11:12:21 +02:00
rules
d/rules: fix pvefw-logger service unit-name
2018-09-04 09:51:54 +02:00

README 

Experimental software, only used for testing!
=============================================


Quick Intro
===========

VM firewall rules are read from:

 /etc/pve/firewall/<VMID>.fw

Cluster wide rules and security group are read from:
 
 /etc/pve/firewall/cluster.fw

Host firewall rules are read from:

  /etc/pve/local/host.fw

You can find examples in the example/ dir


Use the following command to mange the firewall:

To test the firewall configuration:

./pvefw compile

To start or update the firewall:

./pvefw start

To update the firewall rules (the firewall is not started if it
is not already running):

./pvefw update

To stop the firewall:

./pvefw stop


Implementation details
======================

We write iptables rules directly, an generate the following chains 
as entry points in the 'forward' table:

PVEFW-INPUT
PVEFW-OUTPUT
PVEFW-FORWARD

We do not touch other (user defined) chains.

Each VM can have its own firewall definition file in 

/etc/pve/firewall/<VMID>.fw

That file has a section [RULES] to define firewall rules.

Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

* TYPE: IN|OUT|GROUP 
* ACTION: action or macro
* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
* SOURCE: source IP address, or '-' for any source
* DEST: dest IP address, or '-' for any destination address
* PROTO: see /etc/protocols
* D-PORT: destination port
* S-PORT: source port

A rule for inbound traffic looks like this:

IN SSH(ACCEPT) net0

Outbound rules looks like:

OUT SSH(ACCEPT)

Problems
===================

There are a number of restrictions when using iptables to filter
bridged traffic. The physdev match feature does not work correctly
when traffic is routed from host to bridge:

  * when a packet being sent through a bridge entered the firewall on 
    another interface and was being forwarded to the bridge.

  * when a packet originating on the firewall itself is being sent through 
    a bridge.

We use a second bridge for each interface to avoid above problem.

eth0-->vmbr0<--tapXiY (non firewalled tap)
            <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)