Firewall questions

T

tdo

Member
Oct 8, 2011
33
0
6
Hello,

I've installed the latest proxmox update with firewall support. First of all, thank you very much :) !
I have some questions regarding this feature:

1. I'm using the role "PVEVMUser" for my VPS-users, so they can manage their VPS on their own. To make snapshots I've created a new role with the same permissions like "PVEVMUser" plus "VM.Snapshot". Is there a permission for managing the firewall? Something like "VM.Firewall", so my users can manage the firewall for their VPS ? I don't want to give "VM.Config.Network" or something like that, because they should not be allowed to change the network interfaces.

2. Does the firewall support block/allow specific external IPs to a VM via the host machine? I mean, is it possible to add something like "IN SSH(ACCEPT) -i tap100i0 -source 192.168.2.192" on the host system, so my users will not see this entry on their VM firewall management and the interface is the interface of the VM with id 100?
 
Hello tdo

tdo said:
1. I'm using the role "PVEVMUser" for my VPS-users, so they can manage their VPS on their own. To make snapshots I've created a new role with the same permissions like "PVEVMUser" plus "VM.Snapshot". Is there a permission for managing the firewall? Something like "VM.Firewall", so my users can manage the firewall for their VPS ? I don't want to give "VM.Config.Network" or something like that, because they should not be allowed to change the network interfaces.
Click to expand...

As far as I know you need adminstrator right on the level (Datacenter, Host, VM) where you want to edit the firewall, but you can see it in any case.
Yes, I agree something like "VM.Firewall" would be useful.

So it´s hereby a request to development.

tdo said:
2. Does the firewall support block/allow specific external IPs to a VM via the host machine? I mean, is it possible to add something like "IN SSH(ACCEPT) -i tap100i0 -source 192.168.2.192" on the host system, so my users will not see this entry on their VM firewall management and the interface is the interface of the VM with id 100?
Click to expand...

Do I understand it correctly: you want to prevent the VM owner (who is an admin just for his VM) from changing firewall restrictions for his machine - therefore the rule should be defined on a host or datacenter level even it has effect for the VM?

Kind regards

Mr.Holmes
 
Last edited:
Mr.Holmes said:
Do I understand it correctly: you want to prevent the VM owner (who is an admin just for his VM) from changing firewall restrictions for his machine - therefore the rule should be defined on a host or datacenter level even it has effect for the VM?
Click to expand...

The owner/admin should be able to set firewall rules for his VM but I also want to set a firewall rule on the host for his VM. The owner should not be able to view this firewall rule, so I want to add this rule to the host for his VM and the owner can set firewall rules for his VM too from the VM-view. So, for example I want to be able to block a specific IP for his VM on the host, so the owner does not know that this IP is blocked for his VM.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back