Struggeling with the firewall concept of proxmox

[topcaser]

Hi, I am really struggeling with a proper firewall concept with my VM server in my home network. In principal I want to allow only internal network traffic and therefore I set the default policy to drop in the data centre and defined exactly one accept rule for internal traffic.

At the pve level I am wondering why I can't set any default policy, at least it is not on the same place like the firewall of the data centre or of my LXC container. I would assume that the default policy is accept here, am I right? And I am wondering what to set here if underlying containers or VMs have there own firewall anyway. I only have one pve and therefore it doesn't make sense for me to set anything here rather than accept all. Although my AI suggests me to set further Allow rules for Port 8006 and the ssh port to make it more robust. Don't know whether this make sense.

Next we have that firewall of the underlying layer. I have currently only linux containers or VMs and I am asking myself what would be best here, using the proxmox firewall or using ufw. Is there something recommended here? I am more familar with ufw to be honest.

Here are my questions:
1. What do you think of my overall firewall concept. Are there any improvements?
2. Where can I set or review the default policy of the pve?
3. When is the pve firewall useful to use - only if one has more than one pve?
4. Does it make sense to define accept rules in the pve for 8006 and ssh although the default policy seems to be ACCEPT?
5. What's recommended to use in linux containers or VMs - ufw or proxmox firewall?

Thanks for helping, Bernd

Edit: I am also wondering how I can handle ip v6 addresses with Proxmox firewall? If I set in datacentre accept everything from this source 192.168.178.0/24 - what about ip v6. I need it e. g. for pi hole which is perfoming DNS resovling...

Edit2: I just realized, that, if I set the LXC firewall to be active, it is not working at all. If I remove the check from my ssh port, it is still allowed to connect. Also in my configuration file of that LXC container there is no firewall entry at all. This is really frustrating.

 

[mgabriel]

Hi Bernd,

here's some pve-firewall 101:

• You can specify different default policies - Proxmox defaults are `input: drop`, `output: allow`, `forward: allow`. This ONLY applies to traffic from or to your nodes, not from/to VMs or containers. They have their own default policies (VM/CT -> Firewall -> Options).
• To enable the firewall, you need to activate it on datacenter level (Datacenter -> Firewall -> Options) (default: off). Even if you activated the firewall, Proxmox VE has reasonable exceptions in place that let's you access the web interface or shell from the same subnet (see https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_ports_used_by_proxmox_ve). If you don't enable it on datacenter level, your VM/CT firewall won't work.
• Everything you define on datacenter level will be inherited by all nodes, but NOT by VMs or containers. They need their own rules.
• If you set something on node level, it will override any setting on datacenter level.
• If you want to enable the firewall on a VM or container, you need to enable it for this specific ressource (VM/CT -> Firewall -> Options).
• Define your Aliases, IPsets, Security Groups on datacenter level and reuse them on nodes, VMs and containers.

Should you use ufw or pve-firewall?

For your use case, it doesn't seem to matter. Take whatever you like most. For other use cases, the main difference may be that the pve-firewall is managed by the Proxmox VE administrators while the UFW is managed by the VM administrator/user. So if you run a datacenter where you host VMs with unknown workloads, you may use the pve-firewall to allow or disallow any network connections to/from any VM/CT without having access to those VMs/CTs.