2014-11-21 12:30:23 +01:00
|
|
|
.. program:: qvm-firewall
|
2013-03-12 16:55:05 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
:program:`qvm-firewall` -- Manage VM outbound firewall
|
|
|
|
|
======================================================
|
2013-03-12 16:55:05 +01:00
|
|
|
|
2014-11-21 12:30:23 +01:00
|
|
|
Synopsis
|
2016-09-19 17:50:27 +02:00
|
|
|
--------
|
2013-03-12 16:55:05 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
:command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* add *RULE*
|
|
|
|
|
:command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* del [--rule-no=*RULE_NUMBER*] [*RULE*]
|
|
|
|
|
:command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* list [--raw]
|
|
|
|
|
:command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* policy {accept,drop}
|
2013-03-12 16:55:05 +01:00
|
|
|
|
2014-11-21 12:30:23 +01:00
|
|
|
Options
|
2016-09-19 17:50:27 +02:00
|
|
|
-------
|
2014-11-21 12:30:23 +01:00
|
|
|
|
|
|
|
|
.. option:: --help, -h
|
|
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
show help message and exit
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
.. option:: --verbose, -v
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
increase verbosity
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
.. option:: --quiet, -q
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
decrease verbosity
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
.. option:: --reload, -r
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
force reloading rules even when unchanged
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
.. option:: --raw
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
Print raw rules when listing
|
2014-11-21 12:30:23 +01:00
|
|
|
|
|
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
Actions description
|
|
|
|
|
-------------------
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
Available actions:
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
* add - add specified rule. See `Rule syntax` section below.
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
* del - delete specified rule. Can be selected either by rule number using
|
|
|
|
|
:option:`--rule-no`, or specifying rule itself.
|
2014-11-21 12:30:23 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
* list - list all the rules for a given VM.
|
2013-03-12 16:55:05 +01:00
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
* policy - set default action if no rule matches.
|
2014-11-21 12:30:23 +01:00
|
|
|
|
|
|
|
|
|
2016-09-19 17:50:27 +02:00
|
|
|
Rule syntax
|
|
|
|
|
-----------
|
|
|
|
|
|
|
|
|
|
A single rule is built from:
|
|
|
|
|
- action - either ``drop`` or ``accept``
|
|
|
|
|
- zero or more matches
|
|
|
|
|
|
|
|
|
|
Selected action is applied on given packet when all specified matches do match,
|
|
|
|
|
further rules are not evaluated. If none of the rules match, default action
|
|
|
|
|
(``policy``) is applied.
|
|
|
|
|
|
|
|
|
|
Supported matches:
|
|
|
|
|
- ``dsthost`` - destination host or network. Can be either IP address in CIDR
|
|
|
|
|
notation, or a host name. Both IPv4 and IPv6 are supported by the rule syntax.
|
|
|
|
|
- ``proto`` - specific IP protocol. Supported values: ``tcp``, ``udp``,
|
|
|
|
|
``icmp``.
|
|
|
|
|
- ``dstports`` - destination port or ports range. Can be either a single port,
|
|
|
|
|
or a range separated by ``-``. Valid only together with ``proto=udp`` or
|
|
|
|
|
``proto=tcp``.
|
|
|
|
|
- ``icmptype`` - ICMP message type, specified as numeric value. Valid only
|
|
|
|
|
together with ``proto=icmp``.
|
|
|
|
|
- ``specialtarget`` - predefined target. Currently the only supported value is
|
|
|
|
|
``dns``. This can be combined with other matches to narrow it down.
|
2014-11-21 12:30:23 +01:00
|
|
|
|
|
|
|
|
Authors
|
2016-09-19 17:50:27 +02:00
|
|
|
-------
|
|
|
|
|
|
2013-03-12 16:55:05 +01:00
|
|
|
| Joanna Rutkowska <joanna at invisiblethingslab dot com>
|
|
|
|
|
| Rafal Wojtczuk <rafal at invisiblethingslab dot com>
|
|
|
|
|
| Marek Marczykowski <marmarek at invisiblethingslab dot com>
|
2016-09-19 17:50:27 +02:00
|
|
|
| Wojtek Porczyk <woju at invisiblethingslab dot com>
|
|
|
|
|
|
|
|
|
|
.. vim: ts=3 sw=3 et tw=80
|
