Clarifications on firewall rules

[ale.zatti]

Hi all,
I'm trying to study how does the PROXMOX firewall work.
My aim is create a network partially isolated (like a DMZ). I can reach the system in DMZ but it can't reach any other system other than Internet.

I understand that I can specify rules at Cluster, node and VM levels. It seems to me the only rules that are working are the one assigned directly to a VM.
I thought that, if I enable it, the VM firewall inherits the rules from the node...am I wrong? Do I have to assign the rules to each VM manually?
At this point, what is the advantage of assigning the rules to each level?

Thanks, Ale

 

[Richard]

Hi all,
I'm trying to study how does the PROXMOX firewall work.
My aim is create a network partially isolated (like a DMZ). I can reach the system in DMZ but it can't reach any other system other than Internet.

I understand that I can specify rules at Cluster, node and VM levels. It seems to me the only rules that are working are the one assigned directly to a VM.
I thought that, if I enable it, the VM firewall inherits the rules from the node...am I wrong? Do I have to assign the rules to each VM manually?
At this point, what is the advantage of assigning the rules to each level?

Thanks, Ale

Firewall rules at cluster level are inherited by the nodes, but not by VMs - for VMs rules have to set individually. Also necessary to have "firewall" option for each interface (which is set by default).

 

[ale.zatti]

Thanks Richard! And it make sense. I was looking for a way to block/allow traffic for all the VM without assign one by one all the VM!
Anyway thanks Richard for the confirmation!

Ale

 

[prundukevich]

Probably Security group is an option? I used it creating `seqg_dmz` - the group where all DMZ restrictions are applied and exceptions like SSH management or ICMP or whatever is common for all DMZ hosts. After that you still need to assign the group to each host. But only one group instead of set of rules.