Proxmox/pve-firewall
5
0
Fork 0
mirror of git://git.proxmox.com/git/pve-firewall.git synced 2025-01-09 01:18:04 +03:00
Code Releases Activity
e4882cff46
pve-firewall/debian
History
Fabian Grünbichler 9ec74c4432 build: reformat debian/control 
using wrap-and-sort -abt
2017-10-04 11:05:33 +02:00
..
example add ipv6 examples 2014-11-04 11:05:13 +01:00
changelog bump version to 3.0-3 2017-09-12 14:43:13 +02:00
compat assemble debian package 2014-03-03 09:42:18 +01:00
control build: reformat debian/control 2017-10-04 11:05:33 +02:00
copyright assemble debian package 2014-03-03 09:42:18 +01:00
dirs add debian/dirs file to install /var/lib/pve-firewall 2014-11-28 11:40:09 +01:00
docs add README and example to debian package 2014-04-18 10:50:15 +02:00
postinst Fix #1446: allow pve-firewall package install twice in a row 2017-07-17 15:23:35 +02:00
preinst fix lintian warning command-with-path-in-maintainer-script 2015-06-27 16:24:58 +02:00
pve-firewall.default cleanup firewall service implementation 2014-05-16 10:19:38 +02:00
pve-firewall.init use Daemon class from pve-common 2014-12-18 09:41:48 +01:00
pve-firewall.logrotate add simple nflog daemon 2014-03-13 13:34:23 +01:00
pve-firewall.service pve-firewall.service: WantedBy=multi-user.target 2015-11-27 10:50:42 +01:00
pve-firewall.triggers use noawait trigers for pve-api-updates 2015-06-01 12:32:17 +02:00
pvefw-logger.init remove cman dependency 2015-02-27 13:05:07 +01:00
pvefw-logger.service add PIDFile option for systemd services 2015-03-04 06:51:08 +01:00
README remove allow_bridge_route setting 2014-05-06 11:12:21 +02:00
rules use systemctl reload-or-restart on update 2016-03-02 08:05:17 +01:00

README 

Experimental software, only used for testing!
=============================================


Quick Intro
===========

VM firewall rules are read from:

 /etc/pve/firewall/<VMID>.fw

Cluster wide rules and security group are read from:
 
 /etc/pve/firewall/cluster.fw

Host firewall rules are read from:

  /etc/pve/local/host.fw

You can find examples in the example/ dir


Use the following command to mange the firewall:

To test the firewall configuration:

./pvefw compile

To start or update the firewall:

./pvefw start

To update the firewall rules (the firewall is not started if it
is not already running):

./pvefw update

To stop the firewall:

./pvefw stop


Implementation details
======================

We write iptables rules directly, an generate the following chains 
as entry points in the 'forward' table:

PVEFW-INPUT
PVEFW-OUTPUT
PVEFW-FORWARD

We do not touch other (user defined) chains.

Each VM can have its own firewall definition file in 

/etc/pve/firewall/<VMID>.fw

That file has a section [RULES] to define firewall rules.

Format is: TYPE ACTION IFACE SOURCE DEST PROTO D-PORT S-PORT

* TYPE: IN|OUT|GROUP 
* ACTION: action or macro
* IFACE: vm network interface (net0 - net5), or '-' for all interfaces
* SOURCE: source IP address, or '-' for any source
* DEST: dest IP address, or '-' for any destination address
* PROTO: see /etc/protocols
* D-PORT: destination port
* S-PORT: source port

A rule for inbound traffic looks like this:

IN SSH(ACCEPT) net0

Outbound rules looks like:

OUT SSH(ACCEPT)

Problems
===================

There are a number of restrictions when using iptables to filter
bridged traffic. The physdev match feature does not work correctly
when traffic is routed from host to bridge:

  * when a packet being sent through a bridge entered the firewall on 
    another interface and was being forwarded to the bridge.

  * when a packet originating on the firewall itself is being sent through 
    a bridge.

We use a second bridge for each interface to avoid above problem.

eth0-->vmbr0<--tapXiY (non firewalled tap)
            <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)