Firewall¶
List Rules¶
qvm-firewall
Utility¶
List rules of VM:
$ qvm-firewall <vm> NO ACTION HOST PROTOCOL PORT(S) SPECIAL TARGET ICMP TYPE COMMENT 0 drop 10.0.0.0/8 - - - - private address 1 drop 169.254.0.0/16 - - - - private address 2 drop 172.16.0.0/12 - - - - link local 3 drop 192.168.0.0/16 - - - - private address 4 drop fc00::/8 - - - - site local 5 drop fd00::/8 - - - - unique site local 6 drop fe80::/10 - - - - link local 7 accept - tcp - - - - 8 drop - - - - - -
Changing Rules¶
Available Rules¶
Name |
Example(s) |
Description |
action |
|
Drop or accept packages matching entry |
comment |
|
Comment added to the entry |
dsthost |
|
IPv4, IPv6, CIDR |
dstports |
|
Range of ports |
proto |
|
Network protocol |
specialtarget |
|
Special targets. |
Examples¶
Disallow local networks:
# remove existing rules
qvm-firewall <vm> reset
qvm-firewall <vm> del --rule-no 0 # remove default accept rule
# add custom rules
qvm-firewall <vm> add action=drop dsthost=10.0.0.0/8 comment="private address"
qvm-firewall <vm> add action=drop dsthost=169.254.0.0/16 comment="private address"
qvm-firewall <vm> add action=drop dsthost=172.16.0.0/12 comment="link local"
qvm-firewall <vm> add action=drop dsthost=192.168.0.0/16 comment="private address"
qvm-firewall <vm> add action=drop dsthost=fc00::/8 comment="site local"
qvm-firewall <vm> add action=drop dsthost=fd00::/8 comment="unique site local"
qvm-firewall <vm> add action=drop dsthost=fe80::/10 comment="link local"
qvm-firewall <vm> add action=accept
Only allow connections to given IPs using UDP:
# remove existing rules
qvm-firewall <vm> reset
qvm-firewall <vm> del --rule-no 0 # remove default accept rule
qvm-firewall <vm> add dsthost=1234:abcd::1/128 proto=udp action=accept
qvm-firewall <vm> add dsthost=1.2.3.4 proto=udp action=accept