Block unassigned IPs

XN-Matt

Well-Known Member
Aug 21, 2017
90
7
48
42
With KVM VMs at least, the IPs are on a sort of free-for-all.

We could create an inbound and outbound firewall route so they can only use their assigned IPs but that is quite labour intensive and still means they can at least add an IP alias and ARP will do nasty things.

Does Proxmox have any plans where an IP/or list of can be assigned to the VM in the interface and on the host node and ensure that only traffic to or from that/those addresses will flow.

Other software similar to Proxmox does this and it seems to work well.

It will prevent those clients adding IPs without being allocated them which can cause major issues for other customers.
 
I'm already aware of that but my question is not addressed, really.

"Does Proxmox have any plans where an IP/or list of can be assigned to the VM in the interface and on the host node and ensure that only traffic to or from that/those addresses will flow."

Not in the existing fire-wall rules section because users could remove those and there isn't a way to create rules in the GUI that only administrators can set/change/delete.

Whilst containers are already catered for - we are solely using machines (KVM).
 
"Does Proxmox have any plans where an IP/or list of can be assigned to the VM in the interface and on the host node and ensure that only traffic to or from that/those addresses will flow."
Not per se, but you could use the qemu-guest-agent to get the IP(s) inside the VM and iptables. Sure needs some scripting.

Not in the existing fire-wall rules section because users could remove those and there isn't a way to create rules in the GUI that only administrators can set/change/delete.
Your Users are PVEVMAdmins? Then they could even add a new interface and set any IP inside the VM.
 
Not ideal, we don't want to do anything within the VM itself. Previous software set these rules on the host node.

No, they are not. As noted, the only way to do this in the GUI would be for admin to create a rule in and out but users could then alter their own specific VM rules. There is no way to set a rule to admin-only preventing users from changing on the specific VM. (We use the API so they can change their firewall rules but they cannot add interfaces)
 
Not ideal, we don't want to do anything within the VM itself.
Only the guest-agent needs to run inside the VM to get query the IP from the outside.

We use the API so they can change their firewall rules but they cannot add interfaces
You could limit or force ipfilter rules in your application, then it would prevent user modifications upfront, wouldn't it?
 
Interesting.

What if the user removes/stops the agent? What would then happen?
 
Well, that depends upon your policy, as you have everything in your hands to allow or block traffic all together. ;)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!