Re: [pve-devel] [PATCH pve-docs v3 18/18] firewall: add documentation for forward direction

Wed, 13 Nov 2024 07:37:54 -0800

I am still not really conviced about the 'zone', but this does not have to change with this series. 
I like the other changes, but I think there are some minor issues.

On 12.11.24 13:26, Stefan Hanreich wrote:

diff --git a/pve-firewall.adoc b/pve-firewall.adoc
index b428703..d5c664f 100644
--- a/pve-firewall.adoc
+++ b/pve-firewall.adoc
@@ -48,18 +48,34 @@ there is no need to maintain a different set of rules for 
IPv6.
  Zones
  -----
-The Proxmox VE firewall groups the network into the following logical zones: 
+The Proxmox VE firewall groups the network into the following logical zones.
+Depending on the zone, you can define firewall rules for incoming, outgoing or
+forwarded traffic.
Host:: -Traffic from/to a cluster node 
+Traffic going from/to a host or traffic that is forwarded by a host.
+
+You can define rules for this zone either at the datacenter level or at the 
node
+level. Rules at node level take precedence over rules at datacenter level.

If I am too picky please tell me:
First we talk about traffic through the 'host' and then we switch to talking about 'node level'. 
Shouldn't we at least stick with one word? I think this can confuse users.
VM:: -Traffic from/to a specific VM 
+Traffic going from/to a VM or CT.
+
+You cannot define rules for the forward direction, only for incoming / 
outgoing.

Isn't the word 'traffic' missing at the end?

+
+VNet::
-For each zone, you can define firewall rules for incoming and/or 
-outgoing traffic.
+Traffic passing through a SDN VNet, either from guest to guest or from host to
+guest and vice-versa. Since this traffic is always forwarded traffic, it is 
only
I think the verb is missing in this sentence also i'd change the structure to: Traffic is passing trough a SDN VNet, either from guest to guest, from host to guest or vice-versa. 
+possible to create rules with direction forward.
+
+
+IMPORTANT: Creating rules for forwarded traffic or on a VNet-level is currently
+only possible when using the new
+xref:pve_firewall_nft[nftables-based proxmox-firewall]. Any forward rules will 
be
+ignored by the stock `pve-firewall` and have no effect!



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Reply via email to