13.2. Configuration Files

All firewall related configuration is stored on the proxmox cluster file system. So those files are automatically distributed to all cluster nodes, and the pve-firewall service updates the underlying iptables rules automatically on changes.

You can configure anything using the GUI (i.e. DatacenterFirewall, or on a NodeFirewall), or you can edit the configuration files directly using your preferred editor.

Firewall configuration files contain sections of key-value pairs. Lines beginning with a # and blank lines are considered comments. Sections start with a header line containing the section name enclosed in [ and ].

The cluster-wide firewall configuration is stored at:

/etc/pve/firewall/cluster.fw

The configuration can contain the following sections:

Host related configuration is read from:

/etc/pve/nodes/<nodename>/host.fw

This is useful if you want to overwrite rules from cluster.fw config. You can also increase log verbosity, and set netfilter related options. The configuration can contain the following sections:

[OPTIONS]
This is used to set host related firewall options.
enable: <boolean>
Enable host firewall rules.
log_level_in: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
Log level for incoming traffic.
log_level_out: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
Log level for outgoing traffic.
log_nf_conntrack: <boolean> (default = 0)
Enable logging of conntrack information.
ndp: <boolean> (default = 0)
Enable NDP (Neighbor Discovery Protocol).
nf_conntrack_allow_invalid: <boolean> (default = 0)
Allow invalid packets on connection tracking.
nf_conntrack_max: <integer> (32768 - N) (default = 262144)
Maximum number of tracked connections.
nf_conntrack_tcp_timeout_established: <integer> (7875 - N) (default = 432000)
Conntrack established timeout.
nf_conntrack_tcp_timeout_syn_recv: <integer> (30 - 60) (default = 60)
Conntrack syn recv timeout.
nosmurfs: <boolean>
Enable SMURFS filter.
protection_synflood: <boolean> (default = 0)
Enable synflood protection
protection_synflood_burst: <integer> (default = 1000)
Synflood protection rate burst by ip src.
protection_synflood_rate: <integer> (default = 200)
Synflood protection rate syn/sec by ip src.
smurf_log_level: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
Log level for SMURFS filter.
tcp_flags_log_level: <alert | crit | debug | emerg | err | info | nolog | notice | warning>
Log level for illegal tcp flags filter.
tcpflags: <boolean> (default = 0)
Filter illegal combinations of TCP flags.
[RULES]
This sections contains host specific firewall rules.

VM firewall configuration is read from:

/etc/pve/firewall/<VMID>.fw

and contains the following data: