qvm-firewall.rst 2.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485
  1. .. program:: qvm-firewall
  2. :program:`qvm-firewall` -- Manage VM outbound firewall
  3. ======================================================
  4. Synopsis
  5. --------
  6. :command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* add *RULE*
  7. :command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* del [--rule-no=*RULE_NUMBER*] [*RULE*]
  8. :command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* list [--raw]
  9. :command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] *VMNAME* policy {accept,drop}
  10. Options
  11. -------
  12. .. option:: --help, -h
  13. show help message and exit
  14. .. option:: --verbose, -v
  15. increase verbosity
  16. .. option:: --quiet, -q
  17. decrease verbosity
  18. .. option:: --reload, -r
  19. force reloading rules even when unchanged
  20. .. option:: --raw
  21. Print raw rules when listing
  22. Actions description
  23. -------------------
  24. Available actions:
  25. * add - add specified rule. See `Rule syntax` section below.
  26. * del - delete specified rule. Can be selected either by rule number using
  27. :option:`--rule-no`, or specifying rule itself.
  28. * list - list all the rules for a given VM.
  29. * policy - set default action if no rule matches.
  30. Rule syntax
  31. -----------
  32. A single rule is built from:
  33. - action - either ``drop`` or ``accept``
  34. - zero or more matches
  35. Selected action is applied on given packet when all specified matches do match,
  36. further rules are not evaluated. If none of the rules match, default action
  37. (``policy``) is applied.
  38. Supported matches:
  39. - ``dsthost`` - destination host or network. Can be either IP address in CIDR
  40. notation, or a host name. Both IPv4 and IPv6 are supported by the rule syntax.
  41. - ``proto`` - specific IP protocol. Supported values: ``tcp``, ``udp``,
  42. ``icmp``.
  43. - ``dstports`` - destination port or ports range. Can be either a single port,
  44. or a range separated by ``-``. Valid only together with ``proto=udp`` or
  45. ``proto=tcp``.
  46. - ``icmptype`` - ICMP message type, specified as numeric value. Valid only
  47. together with ``proto=icmp``.
  48. - ``specialtarget`` - predefined target. Currently the only supported value is
  49. ``dns``. This can be combined with other matches to narrow it down.
  50. Authors
  51. -------
  52. | Joanna Rutkowska <joanna at invisiblethingslab dot com>
  53. | Rafal Wojtczuk <rafal at invisiblethingslab dot com>
  54. | Marek Marczykowski <marmarek at invisiblethingslab dot com>
  55. | Wojtek Porczyk <woju at invisiblethingslab dot com>
  56. .. vim: ts=3 sw=3 et tw=80