mirror of
https://git.proxmox.com/git/pve-docs
synced 2025-04-29 21:32:45 +00:00
followup: fix acronym cases, and some wording additions
also try to link to an already stated example, not to repeat it. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
parent
afde3bac8c
commit
3f41b2c586
@ -410,62 +410,66 @@ Default firewall rules
|
|||||||
|
|
||||||
The following traffic is filtered by the default firewall configuration:
|
The following traffic is filtered by the default firewall configuration:
|
||||||
|
|
||||||
Datacenter incomming/outgoing DROP/REJECT
|
Datacenter incoming/outgoing DROP/REJECT
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
If the input/output policy for the firewall is set to DROP/REJECT, the following
|
If the input or output policy for the firewall is set to DROP or REJECT, the
|
||||||
traffic is still allowed for the host:
|
following traffic is still allowed for all {pve} hosts in the cluster:
|
||||||
|
|
||||||
* traffic over the loopback interface
|
* traffic over the loopback interface
|
||||||
* already established connections
|
* already established connections
|
||||||
* traffic using the igmp protocol
|
* traffic using the IGMP protocol
|
||||||
* tcp traffic from management hosts to port 8006 in order to allow access to
|
* TCP traffic from management hosts to port 8006 in order to allow access to
|
||||||
the web interface
|
the web interface
|
||||||
* tcp traffic from management hosts to the port range 5900 to 5999 allowing
|
* TCP traffic from management hosts to the port range 5900 to 5999 allowing
|
||||||
traffic for the VNC web console
|
traffic for the VNC web console
|
||||||
* tcp traffic from management hosts to port 3128 for connections to the SPICE
|
* TCP traffic from management hosts to port 3128 for connections to the SPICE
|
||||||
proxy
|
proxy
|
||||||
* tcp traffic from management hosts to port 22 to allow ssh access
|
* TCP traffic from management hosts to port 22 to allow ssh access
|
||||||
* udp traffic in the cluster network to port 5404 and 5405 for corosync
|
* UDP traffic in the cluster network to port 5404 and 5405 for corosync
|
||||||
* udp multicast traffic in the cluster network
|
* UDP multicast traffic in the cluster network
|
||||||
* icmp traffic type 3,4 or 11
|
* ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11
|
||||||
|
(Time Exceeded)
|
||||||
|
|
||||||
The following traffic is dropped, but not logged even with logging enabled:
|
The following traffic is dropped, but not logged even with logging enabled:
|
||||||
|
|
||||||
* tcp connections with invalid connection state
|
* TCP connections with invalid connection state
|
||||||
* Broad-, multi- and anycast traffic not related to corosync
|
* Broadcast, multicast and anycast traffic not related to corosync, i.e., not
|
||||||
* tcp traffic to port 43
|
coming through port 5404 or 5405
|
||||||
* udp traffic to ports 135 and 445
|
* TCP traffic to port 43
|
||||||
* udp traffic to the port range 137 to 139
|
* UDP traffic to ports 135 and 445
|
||||||
* udp traffic form source port 137 to port range 1024 to 65535
|
* UDP traffic to the port range 137 to 139
|
||||||
* udp traffic to port 1900
|
* UDP traffic form source port 137 to port range 1024 to 65535
|
||||||
* tcp traffic to port 135, 139 and 445
|
* UDP traffic to port 1900
|
||||||
* udp traffic originating from source port 53
|
* TCP traffic to port 135, 139 and 445
|
||||||
|
* UDP traffic originating from source port 53
|
||||||
|
|
||||||
The rest of the traffic is dropped/rejected and logged.
|
The rest of the traffic is dropped or rejected, respectively, and also logged.
|
||||||
This may vary depending on the additional options enabled in
|
This may vary depending on the additional options enabled in
|
||||||
*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.
|
*Firewall* -> *Options*, such as NDP, SMURFS and TCP flag filtering.
|
||||||
|
|
||||||
Please inspect the output of
|
[[pve_firewall_iptables_inspect]]
|
||||||
|
Please inspect the output of the
|
||||||
|
|
||||||
|
----
|
||||||
# iptables-save
|
# iptables-save
|
||||||
|
----
|
||||||
|
|
||||||
to see the firewall chains and rules active on your system.
|
system command to see the firewall chains and rules active on your system.
|
||||||
|
This output is also included in a `System Report`, accessible over a node's
|
||||||
|
subscription tab in the web GUI, or through the `pvereport` command line tool.
|
||||||
|
|
||||||
VM/CT incomming/outgoing DROP/REJECT
|
VM/CT incoming/outgoing DROP/REJECT
|
||||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
This drops/rejects all the traffic to the VMs, with some exceptions for DHCP, NDP,
|
This drops or rejects all the traffic to the VMs, with some exceptions for
|
||||||
Router Advertisement, MAC and IP filtering depending on the set configuration.
|
DHCP, NDP, Router Advertisement, MAC and IP filtering depending on the set
|
||||||
The same rules for dropping/rejecting packets are inherited from the datacenter,
|
configuration. The same rules for dropping/rejecting packets are inherited
|
||||||
while the exceptions for accepted incomming/outgoing traffic of the host do not
|
from the datacenter, while the exceptions for accepted incomming/outgoing
|
||||||
apply.
|
traffic of the host do not apply.
|
||||||
|
|
||||||
Again, please inspect the output of
|
Again, you can use xref:pve_firewall_iptables_inspect[iptables-save (see above)]
|
||||||
|
to inspect all rules and chains applied.
|
||||||
# iptables-save
|
|
||||||
|
|
||||||
to see in detail the firewall chains and rules active for the VMs/CTs.
|
|
||||||
|
|
||||||
Logging of firewall rules
|
Logging of firewall rules
|
||||||
-------------------------
|
-------------------------
|
||||||
@ -488,7 +492,7 @@ post-processing.
|
|||||||
[width="25%", options="header"]
|
[width="25%", options="header"]
|
||||||
|===================
|
|===================
|
||||||
| loglevel | LOGID
|
| loglevel | LOGID
|
||||||
| nolog | no log
|
| nolog | --
|
||||||
| emerg | 0
|
| emerg | 0
|
||||||
| alert | 1
|
| alert | 1
|
||||||
| crit | 2
|
| crit | 2
|
||||||
|
Loading…
Reference in New Issue
Block a user