Clarity on firewall layers and how they impact each other

WvdW

Renowned Member
Apr 18, 2013
26
1
68
Hi All,

Before someone says RTFM, it has been done as well as several threads in this forum. Either I'm missing something or it has not been clearly defined in any of those sources.

So what I would like to clarify is how the different firewall layers (datacenter, node, VM) impact each other (if at all)?

Let me give a couple of examples:
- I configure all drop in the datacenter firewall and only allow traffic in to 8006.
What would this mean for nodes and VMs?
1. Would it mean that traffic coming in directly to a specific node or VM IP would also all be dropped automatically because it was set at datacenter level?
2. What if I then allow traffic to 3128 on a specific node in a cluster but not on the other cluster nodes? Will it actually come through if all drop was already configured for the datacenter? Or would the new node rule automatically override the all drop from the datacenter for that one node?
3. What are the levels of override? Is it VM overrides node, which in turn overrides datacenter? Or do each layer function totally independently so that even if all traffic was dropped at the datacenter level it will not impact any traffic aimed directly at a node IP or a VM IP?
- So assuming the answer to question 3 is VM > node > datacenter:
3.1 If I then create a rule to drop traffic to port 3389 in datacenter, set no explicit rule for that port at node level but create an allow rule for 3389 for the VM... will the VM actually get its 3389 traffic? Or do I not even have to create a specific allow rule for the VM because it will receive all traffic in any case because no explicit drop all was created for it?

Any explanations on the subject would be appreciated greatly :)

Werner
 
  • Like
Reactions: Banneisen
- I configure all drop in the datacenter firewall and only allow traffic in to 8006.
What would this mean for nodes and VMs?
1. Would it mean that traffic coming in directly to a specific node or VM IP would also all be dropped automatically because it was set at datacenter level?

Assuming you have activated Firewall options Yes for node, VM ad VM´s virual NICs: yes

Where set to "No" it does not have any effect.


2. What if I then allow traffic to 3128 on a specific node in a cluster but not on the other cluster nodes? Will it actually come through if all drop was already configured for the datacenter? Or would the new node rule automatically override the all drop from the datacenter for that one node?

DROP goes into effect if there is no matching rule defined. In the case you described it neither the first nor the second alternative you wrote. For that prticular node simple the rule (ACCEPT) has effect.

3. What are the levels of override? Is it VM overrides node, which in turn overrides datacenter? Or do each layer function totally independently so that even if all traffic was dropped at the datacenter level it will not impact any traffic aimed directly at a node IP or a VM IP?
- So assuming the answer to question 3 is VM > node > datacenter:
correct
3.1 If I then create a rule to drop traffic to port 3389 in datacenter, set no explicit rule for that port at node level but create an allow rule for 3389 for the VM... will the VM actually get its 3389 traffic? Or do I not even have to create a specific allow rule for the VM because it will receive all traffic in any case because no explicit drop all was created for it?
If in VM Firewall option Firewall is not active no further action is necessary (the same when for the virtual NIC Firewall is not set)
In other cases a rule as you described will help.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!