.. program:: qvm-firewall
:program:`qvm-firewall` -- Manage VM outbound firewall
:command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] VMNAME add RULE :command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] VMNAME del [--rule-no=*RULE_NUMBER*] [RULE] :command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] VMNAME list [--raw] :command:`qvm-firewall` [-h] [--verbose] [--quiet] [--reload] VMNAME policy {accept,drop}
.. option:: --help, -h show help message and exit
.. option:: --verbose, -v increase verbosity
.. option:: --quiet, -q decrease verbosity
.. option:: --reload, -r force reloading rules even when unchanged
.. option:: --raw Print raw rules when listing
Available actions:
- add - add specified rule. See Rule syntax section below.
- del - delete specified rule. Can be selected either by rule number using
:option:`--rule-no`, or specifying rule itself.
- list - list all the rules for a given VM.
- policy - set default action if no rule matches.
- A single rule is built from:
- action - either
droporaccept - zero or more matches
- action - either
Selected action is applied on given packet when all specified matches do match,
further rules are not evaluated. If none of the rules match, default action
(policy) is applied.
- Supported matches:
dsthost- destination host or network. Can be either IP address in CIDR
notation, or a host name. Both IPv4 and IPv6 are supported by the rule syntax. -
proto- specific IP protocol. Supported values:tcp,udp,icmp. -dstports- destination port or ports range. Can be either a single port, or a range separated by-. Valid only together withproto=udporproto=tcp. -icmptype- ICMP message type, specified as numeric value. Valid only together withproto=icmp. -specialtarget- predefined target. Currently the only supported value isdns. This can be combined with other matches to narrow it down.