Bug in Proxmox Firewall

[ermanishchawla]

[OPTIONS]

policy_out: REJECT
enable: 1
policy_in: REJECT



OUT SSH(ACCEPT) -source +hypervisor -dest +hypervisor -log info # SSH
IN SSH(ACCEPT) -source +hypervisor -dest +hypervisor -log info # SSH


According to this rule, ssh must only be allowed from source hypervisor to hypervisor set of IP. But it is allowing ssh even to other IP's

Until I replace the rule with the following


OUT SSH(ACCEPT) -source +hypervisor -dest +hypervisor -log info # SSH
OUT SSH(REJECT) -source +hypervisor -log info # SSH
IN SSH(ACCEPT) -source +hypervisor -dest +hypervisor -log info # SSH

 

[ph0x]

The firewall does some sort of automatic voodoo which can be looked up in the documentation, especially with ssh and webgui port.
Ssh for example will still be allowed from other machines on the subnet until you define a reject rule. It's a bit annoying at first but can be circumvented with the appropriate rules.

 

[ermanishchawla]

The firewall does some sort of automatic voodoo which can be looked up in the documentation, especially with ssh and webgui port.
Ssh for example will still be allowed from other machines on the subnet until you define a reject rule. It's a bit annoying at first but can be circumvented with the appropriate rules.

Yaa thats what i did, but issue is that it is allowing outgoing ssh as well. Incoming ssh is allowed that they have written in documentation as well
SO here bug is entirely different from what they have mentioned

 

[ph0x]

I'm pretty sure it's by design.

 

[ermanishchawla]

I'm pretty sure it's by design.

Seems like a flawed design, by default firewall should allow either implicit deny or accept and if we have set the property as reject for in/out traffic then except the policies required for internal working of Proxmox, rest all should work

proxmox documentation says

Datacenter incoming/outgoing DROP/REJECT
If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:

traffic over the loopback interface

already established connections

traffic using the IGMP protocol

TCP traffic from management hosts to port 8006 in order to allow access to the web interface

TCP traffic from management hosts to the port range 5900 to 5999 allowing traffic for the VNC web console

TCP traffic from management hosts to port 3128 for connections to the SPICE proxy

TCP traffic from management hosts to port 22 to allow ssh access

UDP traffic in the cluster network to port 5404 and 5405 for corosync

UDP multicast traffic in the cluster network

ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11 (Time Exceeded)



So if you read it, it says from Management host to port 22 to allow ssh access. It does not say from PROXMOX to other systems also ssh will still work

So it is definitely a bug or documentation is wrong

 

[ph0x]

It also says port 22 from management hosts but another document says port 22 from the same subnet which is the actual behaviour.
I don't know the rational behind this design but I agree with you that this is rather unexpected for anyone who deals with "standard" firewalls.

 

[ermanishchawla]

Anyhow I could circumvent this with addition of new rules. I hope they streamline it in future release. Like I very much miss creating my own macro ie grouping of tcp/udp ports for custom applications