[SOLVED] Can't drop Anydesk discovery multicast traffic at node or cluster level

[godzilla]

Hi,

PVE 7.4-16 here. It looks like I can't drop this type of traffic at datacenter/node level. Only VM level works.

As per Anydesk documentation (and further traffic sniffing) this is the traffic I need to drop:
- protocol: UDP
- destination IP: 239.255.102.18 (multicast)
- destination ports: 50001,50002,50003

If I set an "OUT" drop rule at VM-level, the traffic is actually dropped and everything works as expected.

I'm struggling to drop it at node or datacenter level, I'm even trying some ACCEPT rules with only the destination IP, in order to sniff the outgoing traffic, nothing seems to work.

What am I doing wrong?

 

[gurubert]

The node's iptables chains do not see the VM traffic as it is bridged into the network.

 

[godzilla]

The node's iptables chains do not see the VM traffic as it is bridged into the network.

Hi @gurubert , sorry for the late reply. I understand.

So there's no other way to drop a given type of VM-level traffic without using the VM firewall? I'd like to block this protocol without my users ever noticing.

Thank you very much!

 

[gurubert]

You can use the VM specific firewall of Proxmox. You do not need to use a firewall inside the VM.
The VM specific firewall will create a fwbr interface where iptables rules are attached to and can see the VM traffic.
The VM itself does not know about these rules.

 

[aaron]

Yes, rules on the DC or node level affect traffic to all or the specific node, but not the guests. You can create a new Security Group at the DC level and configure the rule(s) there. Then insert the security group on the VMs. This way you need to only adapt it in one place and it will be applied to all guests using the security rule.

If you want to add the security group to many/all of the VMs you could script it with the API. The call to add a new security group for example looks like this with the integrated pvesh tool.

pvesh create nodes/{node}/qemu/{vmid}/firewall/rules --type group --action {security group} --enable 1 --comment "test comment"

The API viewer might be useful as well: https://pve.proxmox.com/pve-docs/api-viewer/index.html
Or if you don't know which API endpoint might be used, open the developer tools in the browser, and there the network traffic tab. Then do the thing in the browser and check which calls have been made

 

[godzilla]

oh, wow, thank you @aaron ! I'll try it as soon as possible!
have a nice weekend!

 

[godzilla]

@aaron thanks again, it worked perfectly! in fact, I'd had a good hunch in creating the security group, but for some reason I didn't apply it to the VM what a genius

 

[godzilla]

@gurubert thanks for your input, the problem is that my customers can see/edit the firewall rules at VM-level. aaron's solution is what I was looking for: setting policies without customers to even know.

cheers!

 

[gurubert]

@gurubert thanks for your input, the problem is that my customers can see/edit the firewall rules at VM-level. aaron's solution is what I was looking for: setting policies without customers to even know.

But this is the method I meant to describe, only that @aaron explains it with the API. You can add the same firewall rules via the Proxmox GUI.

 

[godzilla]

But this is the method I meant to describe, only that @aaron explains it with the API. You can add the same firewall rules via the Proxmox GUI.

I can't. Customers would see the firewall rules. That's the whole point.
The Security Group described by aaron is the right solution for me (I need it for a specific VM, therefore the API part is actually not relevant for my purpose)