What is the best firewall for proxmox??

raid

Member
Jul 25, 2010
102
0
16
Italy
After reading and searching info about a firewall to install on my proxmox, I found almost 4 options.
  1. firewall
  2. shorewall
  3. fridu
  4. fail2ban
Now, waiting for a new proxmox firewall (I hope in the next version), I wonder which one is the best performant? what is the easiest to configure? which one is the safest?

Anyone could help us to choose one? Anyone has tried more than one?
thanks
luc
 
I asked myself the same question. As i have to use a software firewall on my proxmox host, i've decided to use a combination of iptables and knockd.
But if someone has a better idea i'd be interested :)
 
Personally I use shorewall everywhere else, so I would be interested in using that on proxmox, but I haven't gotten there yet. Anyone else use shorewall on Proxmox?
 
How many Proxmox tickets would be required to configure a firewall on single Proxmox machine?
 
I like pfSense and the easy web manage interface. I have 2 NIC on my server and installed pfSense on KVM and have all my OpenVZ/KVM servers use pfSense as the gateway, this works very well.
 
already answered via private mail.
 
fail2ban is not a firewall. It is only a set of scripts that react to entries in your log files and then add entries into iptables.

I find it very good for stopping people trying to guess passwords for my asterisk server. After 3 wrong SIP registration attempts, their IP address gets added to the reject list in iptables.

For security reasons, it is recommended to not run services on your firewall. If you are worried about cost, then look at OpenWRT. It works great on the linksys wrg54gl. These are quite cheap and small. Plus you get a wireless AP if you need it. The software will also work on other hardware, including x86 systems.

--
KCH
 
I've just finished reading through the "Shorewall Setup Guide" (http://www.shorewall.net/shorewall_setup_guide.htm) and i think this could be my choice, too.
Next step for me is to find out how exactly the different network options for openvz and kvm result.

@kch:
How would you setup a serverfarm using OpenWRT?
I think thats really difficult as you have different networks behind (in my case) 2 NICs -> 2 Ports on the CPE...

@twocell:
i can really suggest reading that Guide, it's well explained and contains all sample configs. Just insert your IPs an get it running...
 
@kch:
How would you setup a serverfarm using OpenWRT?
I think thats really difficult as you have different networks behind (in my case) 2 NICs -> 2 Ports on the CPE...

openwrt runs on x86 machines as well.

But you don't run a server farm 'with' openwrt or any other firewall. You generally run the servers 'behind' the firewall or on a separate DMZ network hanging off the firewall.
 
You generally run the servers 'behind' the firewall or on a separate DMZ network hanging off the firewall.
Of course, meant that.

The Problem is:
- I have one Hardware Server with 2 NICs
- Proxmox runs on my Server, having both NICs configured as bonding/teaming Interfaces for redundancy

So how can the CPE differ between the DMZ and (secure) LAN if both is hosted on my Proxmox host that's connected on 1 logical link?
 
Last edited:
I have a three node cluster with 7 different VLANs. Each node has 4 NICs (2 for SAN, 2 for rest of the network) and I tried a number of them (pfsense, clarkos, ebox etc.). In the end I chose vyatta for a number of reasons:

- command line auto complete is very convenient
- entire configuration is one (editable) conf file so backup and mass updates are trivial
- allows different subnets on the same VLAN
- doesn't have any stupid rules about the hostname needing to be unique - it assumes the fully qualified name is unique (i.e. it will allow server1.domain1.com and server1.domain2.com unlike most others that balk at 'server1' :))

It isn't perfect but the documentation is excellent and it offers the most options.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!