[pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction
Hannes Duerr
h.duerr at proxmox.com
Wed Nov 13 16:37:13 CET 2024
I am still not really conviced about the 'zone', but this does not have
to change with this series.
I like the other changes, but I think there are some minor issues.
On 12.11.24 13:26, Stefan Hanreich wrote:
> diff --git a/pve-firewall.adoc b/pve-firewall.adoc
> index b428703..d5c664f 100644
> --- a/pve-firewall.adoc
> +++ b/pve-firewall.adoc
> @@ -48,18 +48,34 @@ there is no need to maintain a different set of rules for IPv6.
> Zones
> -----
>
> -The Proxmox VE firewall groups the network into the following logical zones:
> +The Proxmox VE firewall groups the network into the following logical zones.
> +Depending on the zone, you can define firewall rules for incoming, outgoing or
> +forwarded traffic.
>
> Host::
>
> -Traffic from/to a cluster node
> +Traffic going from/to a host or traffic that is forwarded by a host.
> +
> +You can define rules for this zone either at the datacenter level or at the node
> +level. Rules at node level take precedence over rules at datacenter level.
If I am too picky please tell me:
First we talk about traffic through the 'host' and then we switch to
talking about 'node level'.
Shouldn't we at least stick with one word? I think this can confuse users.
>
> VM::
>
> -Traffic from/to a specific VM
> +Traffic going from/to a VM or CT.
> +
> +You cannot define rules for the forward direction, only for incoming / outgoing.
Isn't the word 'traffic' missing at the end?
> +
> +VNet::
>
> -For each zone, you can define firewall rules for incoming and/or
> -outgoing traffic.
> +Traffic passing through a SDN VNet, either from guest to guest or from host to
> +guest and vice-versa. Since this traffic is always forwarded traffic, it is only
I think the verb is missing in this sentence also i'd change the
structure to:
Traffic is passing trough a SDN VNet, either from guest to guest, from
host to guest or vice-versa.
> +possible to create rules with direction forward.
> +
> +
> +IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is currently
> +only possible when using the new
> +xref:pve_firewall_nft[nftables-based proxmox-firewall]. Any forward rules will be
> +ignored by the stock `pve-firewall` and have no effect!
More information about the pve-devel
mailing list