Block all incoming on iSCSI interfaces, while leaving all other interfaces unaffected

A

AngryAnt

Member
Mar 13, 2021
18
8
8
I run an external firewall managing access to & from my (non-clustered) nodes and VMs - except on the iSCSI storage network, which is just a switch connected to nodes and storage server.

Since iSCSI on my nodes has no use for incoming connection, I would like to just drop all those out of an abundance of caution. Obviously if a node or storage server is compromised, that is extremely bad, but nonetheless I prefer to do as much security in depth as possible.

Optimally I would like to be able to do this (and, more importantly, review this) in the PVE web UI, but that is icing on the cake.
 
Dear future reader, these are the steps I took to achieve the above (all in the PVE UI) - perhaps borderline silly in level of detail, but I prefer to do this once and right:
  1. Verify that you can successfully ping your node on its storage network address.
  2. Select the Datacenter node and from the available options unfold "Firewall", then pick "Options".
  3. Set Input Policy and Output Policy both to ACCEPT.
    • NOTE: The default Input is DROP. Since I am doing my firewalling for the non-storage-network interface externally, I do not want to re-create those rules here. The assumption will be that all traffic arriving at those interfaces is supposed to be there - hence setting the ACCEPT default.
  4. Final check that you set ACCEPT above correctly, so that you are not about to lock yourself out of the web interface.
  5. Set "Firewall" to Yes.
  6. Select a node you wish to firewall storage network for and from the available options unfold "Firewall", then pick "Options".
  7. Set "Firewall" to Yes. This node is now firewalled by PVE... which does absolutely nothing to traffic on it...
    • If you find that your final check in step 4 failed and you did after all just block yourself out of the web interface:
      1. Log in directly on the terminal of your node.
      2. Edit /etc/pve/nodes/<node name>/host.fw
      3. Change enable: 1 to enable: 0 in the [OPTIONS] section (should be at the top), save, and exit the editor.
      4. Run pve-firewall stop
      5. Goto 2.
  8. Now to actually block incoming traffic from your storage network, select "Network" and make a note of the interfaces you have configured with storage network addresses.
  9. Select "Firewall" (not the "Options" subsection) and hit the "Add" button above the rules list.
  10. For each storage network interface, configure a rule as follows:
    1. Direction: in
    2. Action: DROP
    3. Interface: <interface name - like vmbr1 or enp11s0f0 or whatever>
    4. Comment: Help your future self - "Drop incoming on storage" or whatever.
    5. Hit OK and then Add again if there are more interfaces.
  11. Inspect that your rules look right.
  12. Tick the "On" checkbox for each new rule you just made.
  13. Verify that the ping in 1. no longer succeeds. If it still does, try running pve-firewall start on the node.
  14. Reboot the node, verify that the firewall still holds.
  15. Rejoice!
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back