Browse Source

followup: fix acronym cases, and some wording additions

also try to link to an already stated example, not to repeat it.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
stable-5
Thomas Lamprecht 7 months ago
parent
commit
3f41b2c586
1 changed files with 45 additions and 41 deletions
  1. 45
    41
      pve-firewall.adoc

+ 45
- 41
pve-firewall.adoc View File

@@ -410,62 +410,66 @@ Default firewall rules

The following traffic is filtered by the default firewall configuration:

Datacenter incomming/outgoing DROP/REJECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Datacenter incoming/outgoing DROP/REJECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

If the input/output policy for the firewall is set to DROP/REJECT, the following
traffic is still allowed for the host:
If the input or output policy for the firewall is set to DROP or REJECT, the
following traffic is still allowed for all {pve} hosts in the cluster:

* traffic over the loopback interface
* already established connections
* traffic using the igmp protocol
* tcp traffic from management hosts to port 8006 in order to allow access to
the web interface
* tcp traffic from management hosts to the port range 5900 to 5999 allowing
traffic for the VNC web console
* tcp traffic from management hosts to port 3128 for connections to the SPICE
proxy
* tcp traffic from management hosts to port 22 to allow ssh access
* udp traffic in the cluster network to port 5404 and 5405 for corosync
* udp multicast traffic in the cluster network
* icmp traffic type 3,4 or 11
* traffic using the IGMP protocol
* TCP traffic from management hosts to port 8006 in order to allow access to
the web interface
* TCP traffic from management hosts to the port range 5900 to 5999 allowing
traffic for the VNC web console
* TCP traffic from management hosts to port 3128 for connections to the SPICE
proxy
* TCP traffic from management hosts to port 22 to allow ssh access
* UDP traffic in the cluster network to port 5404 and 5405 for corosync
* UDP multicast traffic in the cluster network
* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
(Time Exceeded)

The following traffic is dropped, but not logged even with logging enabled:

* tcp connections with invalid connection state
* Broad-, multi- and anycast traffic not related to corosync
* tcp traffic to port 43
* udp traffic to ports 135 and 445
* udp traffic to the port range 137 to 139
* udp traffic form source port 137 to port range 1024 to 65535
* udp traffic to port 1900
* tcp traffic to port 135, 139 and 445
* udp traffic originating from source port 53

The rest of the traffic is dropped/rejected and logged.
* TCP connections with invalid connection state
* Broadcast, multicast and anycast traffic not related to corosync, i.e., not
coming through port 5404 or 5405
* TCP traffic to port 43
* UDP traffic to ports 135 and 445
* UDP traffic to the port range 137 to 139
* UDP traffic form source port 137 to port range 1024 to 65535
* UDP traffic to port 1900
* TCP traffic to port 135, 139 and 445
* UDP traffic originating from source port 53

The rest of the traffic is dropped or rejected, respectively, and also logged.
This may vary depending on the additional options enabled in
*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.

Please inspect the output of
[[pve_firewall_iptables_inspect]]
Please inspect the output of the

----
# iptables-save
----

to see the firewall chains and rules active on your system.

VM/CT incomming/outgoing DROP/REJECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This drops/rejects all the traffic to the VMs, with some exceptions for DHCP, NDP,
Router Advertisement, MAC and IP filtering depending on the set configuration.
The same rules for dropping/rejecting packets are inherited from the datacenter,
while the exceptions for accepted incomming/outgoing traffic of the host do not
apply.
system command to see the firewall chains and rules active on your system.
This output is also included in a `System Report`, accessible over a node's
subscription tab in the web GUI, or through the `pvereport` command line tool.

Again, please inspect the output of
VM/CT incoming/outgoing DROP/REJECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# iptables-save
This drops or rejects all the traffic to the VMs, with some exceptions for
DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
configuration. The same rules for dropping/rejecting packets are inherited
from the datacenter, while the exceptions for accepted incomming/outgoing
traffic of the host do not apply.

to see in detail the firewall chains and rules active for the VMs/CTs.
Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
to inspect all rules and chains applied.

Logging of firewall rules
-------------------------
@@ -488,7 +492,7 @@ post-processing.
[width="25%", options="header"]
|===================
| loglevel | LOGID
| nolog | no log
| nolog | --
| emerg | 0
| alert | 1
| crit | 2

Loading…
Cancel
Save