Firewall¶

List Rules¶

`qvm-firewall` Utility¶

List rules of VM:

$ qvm-firewall <vm>
NO  ACTION  HOST            PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  COMMENT
0   drop    10.0.0.0/8      -         -        -               -          private address
1   drop    169.254.0.0/16  -         -        -               -          private address
2   drop    172.16.0.0/12   -         -        -               -          link local
3   drop    192.168.0.0/16  -         -        -               -          private address
4   drop    fc00::/8        -         -        -               -          site local
5   drop    fd00::/8        -         -        -               -          unique site local
6   drop    fe80::/10       -         -        -               -          link local
7   accept  -               tcp       -        -               -          -
8   drop    -               -         -        -               -          -

Changing Rules¶

Available Rules¶

Name	Example(s)	Description
action	`accept` or `drop`	Drop or accept packages matching entry
comment	`free text`	Comment added to the entry
dsthost	`158.45.56.88`, `10.0.0.0/8`	IPv4, IPv6, CIDR
dstports	`443-443`, `1200-1400`	Range of ports
proto	`icmp`, `tcp`, `udp`	Network protocol
specialtarget	`dns`	Special targets. `dns` matches the DNS servers defined for a VM.

Examples¶

Disallow local networks:

# remove existing rules
qvm-firewall <vm> reset
qvm-firewall <vm> del --rule-no 0      # remove default accept rule

# add custom rules
qvm-firewall <vm> add action=drop dsthost=10.0.0.0/8 comment="private address"
qvm-firewall <vm> add action=drop dsthost=169.254.0.0/16 comment="private address"
qvm-firewall <vm> add action=drop dsthost=172.16.0.0/12 comment="link local"
qvm-firewall <vm> add action=drop dsthost=192.168.0.0/16 comment="private address"
qvm-firewall <vm> add action=drop dsthost=fc00::/8 comment="site local"
qvm-firewall <vm> add action=drop dsthost=fd00::/8 comment="unique site local"
qvm-firewall <vm> add action=drop dsthost=fe80::/10 comment="link local"
qvm-firewall <vm> add action=accept

Only allow connections to given IPs using UDP:

# remove existing rules
qvm-firewall <vm> reset
qvm-firewall <vm> del --rule-no 0      # remove default accept rule

qvm-firewall <vm> add dsthost=1234:abcd::1/128 proto=udp action=accept
qvm-firewall <vm> add dsthost=1.2.3.4 proto=udp action=accept