some questions firewall

[pille99]

hello guys

some questions related to firewall (because i put my cluster already offline of a wrong firewall rule)

i have proxmox, 4 nodes, with 2 sdn 2 vnets, in one of the vnets are 2 vlan networks (no subnet - it doesnt work, i dont know why)
suppose i have a webserver in vnet1/vlan20, the other is 21 (just to isolate it)

- the new vnet firewall i can block whats going in and out of the vnets ? correct ? so i would set there a rule Webserver allowed
- for the VM firewall i set rules in the vnet (if traffic stays internal( for instance the webserver connects to a database, i would create 2 rules, for for each to grand access ? correct so far
- the datacenter firewall protects the Host itself. would it be ok to implement my own firewall rules, based on iptables, not over the proxmox ? i have a complex rule set with ipset and a lot of features.

- the node firewall - which ports are a must for ceph, ha, corosync, webinterface, etc --- - that the nodes works

for vnet and vm firewall = how can i create templates ?

regards

 

[fba]

- the node firewall - which ports are a must for ceph, ha, corosync, webinterface, etc --- - that the nodes works

This is explained in the documentation, see https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve and https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_default_rules

 

[Hannes Laimer]

Hey,

1. not quite, for vnets the the firewall attaches to the bridge FORWARD hook, so there is no separate IN/OUT. So it will filter everything that goes through the bridge, this can be east-west traffic between guests on the same vnet, but also includes traffic between vlan's on that vnet. The default forward policy is ACCEPT, so just enabling it will not lock you out of anything.

2. You could, but what you probably want are rules on the VMs themself. Guest rules are directional, and the default are ACCEPT for OUT and DROP for IN. So for your example the simplest approach would be to add a IN ACCEPT matching the web server's IP and the db port. But having an explicit ACCEPT also for OUT is also fine if you don't want to rely on the default.

3. You can disable the firewall on the datacenter level, but this will also disable guest firewalls. You can also just disable the host firewall, which will have guest firewall still working. Generally, things in the datacenter are inherited by hosts. Yes, but you just have to stay out of PVEFW-*, GROUP-*, and the auto-generated tap*/veth*/fwbr* chain names namespace with your custom ones.

4. there are pre-defined macros[1], these also include one for ceph, that'll cover what ceph needs. Corosync needs UDP ports 5405-5412[2]. And the WebUI runs on 8006, and of course SSH at port 22.

5. There is no template support, but security groups[3] should cover most use-cases.


hope this makes sense

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_firewall_macro_definitions
[2] https://pve.proxmox.com/wiki/Cluster_Manager#pvecm_cluster_requirements
[3] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_security_groups