Allow ping among LXC in the same private network

[jsabater]

Hey everyone!

I have read the PVE Firewall documentation plus a bunch of posts on these forums and, if I have understood correctly, there is no way to configure a single rule allowing ping among all LXC in the nodes of a Proxmox 7 cluster as rules at the datacentre level don't apply to containers, and neither do rules at the node level. So the only solution is to create the rule in each an every LXC firewall:

Type	Action	Macro	Interface	Protocol	Source	S. Port	Destination	D. Port	Comment
in	ACCEPT	Ping	net0		ipv4_private_guests		ipv4_private_guests		Allow ping from any LXC

ipv4_private_guests is an alias for the private network 192.168.0.0/24.

And if I wanted to apply a number of rules to all containers, then I could create a security group, add the rules there, and apply the security group to each and every container.

But there is no way to create a rule once and tell Proxmox to apply it to a given list of containers (all of them or a subset). I've seen some people call this feature "inheritance" on these forums. Correct?

If so, is there any feature request I could upvote?

 

[shrdlicka]

As far as I can see it you are correct there is rule inheritance. What should be possible is to create the security group(s) you need and create the firewall config files in /etc/pve/firewall. Which you should be able to just copy if the same rules apply to all. The format is <vm/ct-id>.fw

root@21-cl1:/etc/pve/firewall# ls
100.fw    101.fw    cluster.fw

root@21-cl1:/etc/pve/firewall# cat 100.fw 
[OPTIONS]

enable: 1

[RULES]

GROUP no_local

I also found this slighty D) ticket which sounds like what you are describing: https://bugzilla.proxmox.com/show_bug.cgi?id=826

 

[jsabater]

Yes, I suppose the way to go is to automate it. I mean, the GUI is fine up to a certain point but, afterwards, one should start investing time and effort in automating.

I see that Ansible's Proxmox module does not support the PVE Firewall, and the Ansible Role PCT only offers container creation. Do people usually favour Terraform when working with Proxmox?

 

[jsabater]

I also found this slighty D) ticket which sounds like what you are describing: https://bugzilla.proxmox.com/show_bug.cgi?id=826

Thanks! I contributed to it. Hopefully some day it will get implemented. Meanwhile, I'll keep searching for an Ansible module, or try to implement one myself (it's weird it does not exist yet, as managing firewall rules seems like a common task to me).