followup: fix acronym cases, and some wording additions

also try to link to an already stated example, not to repeat it.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht 2019-03-26 09:13:12 +01:00
parent afde3bac8c
commit 3f41b2c586

View File

@ -410,62 +410,66 @@ Default firewall rules
The following traffic is filtered by the default firewall configuration: The following traffic is filtered by the default firewall configuration:
Datacenter incomming/outgoing DROP/REJECT Datacenter incoming/outgoing DROP/REJECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If the input/output policy for the firewall is set to DROP/REJECT, the following If the input or output policy for the firewall is set to DROP or REJECT, the
traffic is still allowed for the host: following traffic is still allowed for all {pve} hosts in the cluster:
* traffic over the loopback interface * traffic over the loopback interface
* already established connections * already established connections
* traffic using the igmp protocol * traffic using the IGMP protocol
* tcp traffic from management hosts to port 8006 in order to allow access to * TCP traffic from management hosts to port 8006 in order to allow access to
the web interface the web interface
* tcp traffic from management hosts to the port range 5900 to 5999 allowing * TCP traffic from management hosts to the port range 5900 to 5999 allowing
traffic for the VNC web console traffic for the VNC web console
* tcp traffic from management hosts to port 3128 for connections to the SPICE * TCP traffic from management hosts to port 3128 for connections to the SPICE
proxy proxy
* tcp traffic from management hosts to port 22 to allow ssh access * TCP traffic from management hosts to port 22 to allow ssh access
* udp traffic in the cluster network to port 5404 and 5405 for corosync * UDP traffic in the cluster network to port 5404 and 5405 for corosync
* udp multicast traffic in the cluster network * UDP multicast traffic in the cluster network
* icmp traffic type 3,4 or 11 * ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
(Time Exceeded)
The following traffic is dropped, but not logged even with logging enabled: The following traffic is dropped, but not logged even with logging enabled:
* tcp connections with invalid connection state * TCP connections with invalid connection state
* Broad-, multi- and anycast traffic not related to corosync * Broadcast, multicast and anycast traffic not related to corosync, i.e., not
* tcp traffic to port 43 coming through port 5404 or 5405
* udp traffic to ports 135 and 445 * TCP traffic to port 43
* udp traffic to the port range 137 to 139 * UDP traffic to ports 135 and 445
* udp traffic form source port 137 to port range 1024 to 65535 * UDP traffic to the port range 137 to 139
* udp traffic to port 1900 * UDP traffic form source port 137 to port range 1024 to 65535
* tcp traffic to port 135, 139 and 445 * UDP traffic to port 1900
* udp traffic originating from source port 53 * TCP traffic to port 135, 139 and 445
* UDP traffic originating from source port 53
The rest of the traffic is dropped/rejected and logged. The rest of the traffic is dropped or rejected, respectively, and also logged.
This may vary depending on the additional options enabled in This may vary depending on the additional options enabled in
*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering. *Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.
Please inspect the output of [[pve_firewall_iptables_inspect]]
Please inspect the output of the
----
# iptables-save # iptables-save
----
to see the firewall chains and rules active on your system. system command to see the firewall chains and rules active on your system.
This output is also included in a `System Report`, accessible over a node's
subscription tab in the web GUI, or through the `pvereport` command line tool.
VM/CT incomming/outgoing DROP/REJECT VM/CT incoming/outgoing DROP/REJECT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This drops/rejects all the traffic to the VMs, with some exceptions for DHCP, NDP, This drops or rejects all the traffic to the VMs, with some exceptions for
Router Advertisement, MAC and IP filtering depending on the set configuration. DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
The same rules for dropping/rejecting packets are inherited from the datacenter, configuration. The same rules for dropping/rejecting packets are inherited
while the exceptions for accepted incomming/outgoing traffic of the host do not from the datacenter, while the exceptions for accepted incomming/outgoing
apply. traffic of the host do not apply.
Again, please inspect the output of Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
to inspect all rules and chains applied.
# iptables-save
to see in detail the firewall chains and rules active for the VMs/CTs.
Logging of firewall rules Logging of firewall rules
------------------------- -------------------------
@ -488,7 +492,7 @@ post-processing.
[width="25%", options="header"] [width="25%", options="header"]
|=================== |===================
| loglevel | LOGID | loglevel | LOGID
| nolog | no log | nolog | --
| emerg | 0 | emerg | 0
| alert | 1 | alert | 1
| crit | 2 | crit | 2