mirror of
https://git.proxmox.com/git/pve-docs
synced 2025-04-28 22:36:18 +00:00
followup: fix acronym cases, and some wording additions
also try to link to an already stated example, not to repeat it. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht
parent
afde3bac8c
commit
3f41b2c586
@ -410,62 +410,66 @@ Default firewall rules
|
||||
|
||||
The following traffic is filtered by the default firewall configuration:
|
||||
|
||||
Datacenter incomming/outgoing DROP/REJECT
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Datacenter incoming/outgoing DROP/REJECT
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
If the input/output policy for the firewall is set to DROP/REJECT, the following
|
||||
traffic is still allowed for the host:
|
||||
If the input or output policy for the firewall is set to DROP or REJECT, the
|
||||
following traffic is still allowed for all {pve} hosts in the cluster:
|
||||
|
||||
* traffic over the loopback interface
|
||||
* already established connections
|
||||
* traffic using the igmp protocol
|
||||
* tcp traffic from management hosts to port 8006 in order to allow access to
|
||||
the web interface
|
||||
* tcp traffic from management hosts to the port range 5900 to 5999 allowing
|
||||
traffic for the VNC web console
|
||||
* tcp traffic from management hosts to port 3128 for connections to the SPICE
|
||||
proxy
|
||||
* tcp traffic from management hosts to port 22 to allow ssh access
|
||||
* udp traffic in the cluster network to port 5404 and 5405 for corosync
|
||||
* udp multicast traffic in the cluster network
|
||||
* icmp traffic type 3,4 or 11
|
||||
* traffic using the IGMP protocol
|
||||
* TCP traffic from management hosts to port 8006 in order to allow access to
|
||||
the web interface
|
||||
* TCP traffic from management hosts to the port range 5900 to 5999 allowing
|
||||
traffic for the VNC web console
|
||||
* TCP traffic from management hosts to port 3128 for connections to the SPICE
|
||||
proxy
|
||||
* TCP traffic from management hosts to port 22 to allow ssh access
|
||||
* UDP traffic in the cluster network to port 5404 and 5405 for corosync
|
||||
* UDP multicast traffic in the cluster network
|
||||
* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
|
||||
(Time Exceeded)
|
||||
|
||||
The following traffic is dropped, but not logged even with logging enabled:
|
||||
|
||||
* tcp connections with invalid connection state
|
||||
* Broad-, multi- and anycast traffic not related to corosync
|
||||
* tcp traffic to port 43
|
||||
* udp traffic to ports 135 and 445
|
||||
* udp traffic to the port range 137 to 139
|
||||
* udp traffic form source port 137 to port range 1024 to 65535
|
||||
* udp traffic to port 1900
|
||||
* tcp traffic to port 135, 139 and 445
|
||||
* udp traffic originating from source port 53
|
||||
* TCP connections with invalid connection state
|
||||
* Broadcast, multicast and anycast traffic not related to corosync, i.e., not
|
||||
coming through port 5404 or 5405
|
||||
* TCP traffic to port 43
|
||||
* UDP traffic to ports 135 and 445
|
||||
* UDP traffic to the port range 137 to 139
|
||||
* UDP traffic form source port 137 to port range 1024 to 65535
|
||||
* UDP traffic to port 1900
|
||||
* TCP traffic to port 135, 139 and 445
|
||||
* UDP traffic originating from source port 53
|
||||
|
||||
The rest of the traffic is dropped/rejected and logged.
|
||||
The rest of the traffic is dropped or rejected, respectively, and also logged.
|
||||
This may vary depending on the additional options enabled in
|
||||
*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.
|
||||
|
||||
Please inspect the output of
|
||||
[[pve_firewall_iptables_inspect]]
|
||||
Please inspect the output of the
|
||||
|
||||
----
|
||||
# iptables-save
|
||||
----
|
||||
|
||||
to see the firewall chains and rules active on your system.
|
||||
system command to see the firewall chains and rules active on your system.
|
||||
This output is also included in a `System Report`, accessible over a node's
|
||||
subscription tab in the web GUI, or through the `pvereport` command line tool.
|
||||
|
||||
VM/CT incomming/outgoing DROP/REJECT
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
VM/CT incoming/outgoing DROP/REJECT
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This drops/rejects all the traffic to the VMs, with some exceptions for DHCP, NDP,
|
||||
Router Advertisement, MAC and IP filtering depending on the set configuration.
|
||||
The same rules for dropping/rejecting packets are inherited from the datacenter,
|
||||
while the exceptions for accepted incomming/outgoing traffic of the host do not
|
||||
apply.
|
||||
This drops or rejects all the traffic to the VMs, with some exceptions for
|
||||
DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
|
||||
configuration. The same rules for dropping/rejecting packets are inherited
|
||||
from the datacenter, while the exceptions for accepted incomming/outgoing
|
||||
traffic of the host do not apply.
|
||||
|
||||
Again, please inspect the output of
|
||||
|
||||
# iptables-save
|
||||
|
||||
to see in detail the firewall chains and rules active for the VMs/CTs.
|
||||
Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
|
||||
to inspect all rules and chains applied.
|
||||
|
||||
Logging of firewall rules
|
||||
-------------------------
|
||||
@ -488,7 +492,7 @@ post-processing.
|
||||
[width="25%", options="header"]
|
||||
|===================
|
||||
| loglevel | LOGID
|
||||
| nolog | no log
|
||||
| nolog | --
|
||||
| emerg | 0
|
||||
| alert | 1
|
||||
| crit | 2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user