Confused about interface setup on firewall

asmar

Active Member
Nov 15, 2014
108
0
36
Hi all,

I've just installed the latest Proxmox (3.3-1) and would like to ask a few questions about the firewall setup as it's not very clear to me.

I have about 10 virtual machines running on server all with static IP and KVM.
On the host if I run ifconfig I'm getting the following:

Code:
root@proxmox1:~# ifconfig 
eth0      Link encap:Ethernet  HWaddr 68:05:ca:05:73:cb  
          inet6 addr: fe80::6a05:caff:fe05:73cb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:191680591 errors:0 dropped:0 overruns:0 frame:0
          TX packets:199428576 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:64649438773 (60.2 GiB)  TX bytes:236203383427 (219.9 GiB)
          Interrupt:18 Memory:fe4c0000-fe4e0000 

fwbr100i0 Link encap:Ethernet  HWaddr b2:2e:7d:c6:08:82  
          inet6 addr: fe80::f801:3dff:fec0:28bd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3592907 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:180655070 (172.2 MiB)  TX bytes:468 (468.0 B)

fwbr101i0 Link encap:Ethernet  HWaddr b2:1d:10:09:5e:0a  
          inet6 addr: fe80::c075:65ff:fe88:ca82/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3592194 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:180618528 (172.2 MiB)  TX bytes:468 (468.0 B)

fwbr102i0 Link encap:Ethernet  HWaddr 3a:56:61:c3:43:21  
          inet6 addr: fe80::a4ca:ecff:feb2:2b93/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6006786 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:301498381 (287.5 MiB)  TX bytes:468 (468.0 B)

fwbr106i0 Link encap:Ethernet  HWaddr 62:75:c7:2f:6e:6d  
          inet6 addr: fe80::f87b:a6ff:fe14:ad79/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:331539 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:16617832 (15.8 MiB)  TX bytes:468 (468.0 B)

fwbr107i0 Link encap:Ethernet  HWaddr ce:52:bd:99:1b:cc  
          inet6 addr: fe80::6874:edff:fe85:5461/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:894423 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:44917119 (42.8 MiB)  TX bytes:468 (468.0 B)

fwbr108i0 Link encap:Ethernet  HWaddr aa:9a:dc:32:bb:8b  
          inet6 addr: fe80::10ca:e9ff:fee5:e35a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:617164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:30977121 (29.5 MiB)  TX bytes:468 (468.0 B)

fwln100i0 Link encap:Ethernet  HWaddr b2:2e:7d:c6:08:82  
          inet6 addr: fe80::b02e:7dff:fec6:882/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4994679 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2131810 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:594587062 (567.0 MiB)  TX bytes:1985056649 (1.8 GiB)

fwln101i0 Link encap:Ethernet  HWaddr b2:1d:10:09:5e:0a  
          inet6 addr: fe80::b01d:10ff:fe09:5e0a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4491873 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1360546 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:358136083 (341.5 MiB)  TX bytes:824080330 (785.9 MiB)

fwln102i0 Link encap:Ethernet  HWaddr 3a:56:61:c3:43:21  
          inet6 addr: fe80::3856:61ff:fec3:4321/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:58030895 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77907132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:24438825405 (22.7 GiB)  TX bytes:81439102308 (75.8 GiB)

fwln106i0 Link encap:Ethernet  HWaddr 62:75:c7:2f:6e:6d  
          inet6 addr: fe80::6075:c7ff:fe2f:6e6d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5186823 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4436326 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4799164491 (4.4 GiB)  TX bytes:4465479952 (4.1 GiB)

fwln107i0 Link encap:Ethernet  HWaddr ce:52:bd:99:1b:cc  
          inet6 addr: fe80::cc52:bdff:fe99:1bcc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1198847 errors:0 dropped:0 overruns:0 frame:0
          TX packets:315302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:652191628 (621.9 MiB)  TX bytes:29610553 (28.2 MiB)

fwln108i0 Link encap:Ethernet  HWaddr aa:9a:dc:32:bb:8b  
          inet6 addr: fe80::a89a:dcff:fe32:bb8b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1976352 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1420885 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2641105127 (2.4 GiB)  TX bytes:892454601 (851.1 MiB)

fwpr100p0 Link encap:Ethernet  HWaddr 16:24:cb:a7:49:c5  
          inet6 addr: fe80::1424:cbff:fea7:49c5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2131810 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4994679 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1985056649 (1.8 GiB)  TX bytes:594587062 (567.0 MiB)

fwpr101p0 Link encap:Ethernet  HWaddr f6:85:c9:58:d9:ad  
          inet6 addr: fe80::f485:c9ff:fe58:d9ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1360546 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4491873 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:824080330 (785.9 MiB)  TX bytes:358136083 (341.5 MiB)

fwpr102p0 Link encap:Ethernet  HWaddr e6:ca:dd:5f:38:58  
          inet6 addr: fe80::e4ca:ddff:fe5f:3858/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:77907132 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58030895 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:81439102308 (75.8 GiB)  TX bytes:24438825405 (22.7 GiB)

fwpr106p0 Link encap:Ethernet  HWaddr e6:0c:7e:a5:10:36  
          inet6 addr: fe80::e40c:7eff:fea5:1036/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4436326 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5186823 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4465479952 (4.1 GiB)  TX bytes:4799164491 (4.4 GiB)

fwpr107p0 Link encap:Ethernet  HWaddr 9e:91:6a:d3:09:4b  
          inet6 addr: fe80::9c91:6aff:fed3:94b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:315302 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1198847 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29610553 (28.2 MiB)  TX bytes:652191628 (621.9 MiB)

fwpr108p0 Link encap:Ethernet  HWaddr e2:cc:44:16:87:96  
          inet6 addr: fe80::e0cc:44ff:fe16:8796/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1420885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1976352 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:892454601 (851.1 MiB)  TX bytes:2641105127 (2.4 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1877576 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1877576 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1091949710 (1.0 GiB)  TX bytes:1091949710 (1.0 GiB)

tap100i0  Link encap:Ethernet  HWaddr a2:29:9a:d4:fd:24  
          inet6 addr: fe80::a029:9aff:fed4:fd24/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2131798 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5024182 errors:0 dropped:6980 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:1985055809 (1.8 GiB)  TX bytes:596532537 (568.8 MiB)

tap101i0  Link encap:Ethernet  HWaddr be:1b:90:fa:fd:64  
          inet6 addr: fe80::bc1b:90ff:fefa:fd64/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1360536 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4492956 errors:0 dropped:613 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:824079622 (785.9 MiB)  TX bytes:358209122 (341.6 MiB)

tap102i0  Link encap:Ethernet  HWaddr ba:76:ad:18:03:b5  
          inet6 addr: fe80::b876:adff:fe18:3b5/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:77907126 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64909068 errors:0 dropped:86673 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:81439102008 (75.8 GiB)  TX bytes:24893658819 (23.1 GiB)

tap106i0  Link encap:Ethernet  HWaddr d2:14:eb:63:8b:6b  
          inet6 addr: fe80::d014:ebff:fe63:8b6b/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4436320 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6368318 errors:0 dropped:12438 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:4465479652 (4.1 GiB)  TX bytes:4877108115 (4.5 GiB)

tap107i0  Link encap:Ethernet  HWaddr 6e:8c:33:50:e4:7e  
          inet6 addr: fe80::6c8c:33ff:fe50:e47e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:315292 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1390452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:29609893 (28.2 MiB)  TX bytes:663019872 (632.3 MiB)

tap108i0  Link encap:Ethernet  HWaddr 76:f7:44:5f:9e:f9  
          inet6 addr: fe80::74f7:44ff:fe5f:9ef9/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1420879 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2718960 errors:0 dropped:8900 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:892454301 (851.1 MiB)  TX bytes:2690126975 (2.5 GiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet6 addr: fe80::1/128 Scope:Link
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vmbr0     Link encap:Ethernet  HWaddr 68:05:ca:05:73:cb  
          inet addr:192.168.1.155  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::6a05:caff:fe05:73cb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:111284423 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34410132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24628943646 (22.9 GiB)  TX bytes:137114365662 (127.6 GiB)

Only vmbr0 seems to have the "live" network details (i've changed the live ip with a test one).

Under proxmox firewall, when I click on add rule which interface from all the above I need to include to pass the rule to all VMs? Same if I need to create a security group?
Do I need to use the vmbr0?

I will add some generic rules which I want to apply to all VMs running in the node.

Also under source and destination fields what should I put to be available in all VMs?

Thanks in advance.
 
Last edited:
Thanks a lot for the reply. I've setup in and out to ACCEPT under datacenter tab and then setup in a VM in and out to DROP but I can still access the web server for example on that VM. Do I need to restart somehow the firewall?

Thanks
 
I've tried to start the firewall from terminal as per wiki instructions and getting the following error:

root@proxmox1:~# pve-firewall start
ERROR: can't aquire lock '/var/run/pve-firewall.pid.lock' - Resource temporarily unavailable
 
I guess it is already running:

# pve-firewall status

Please can you post the output of

# pve-firewall compile
 
Hi Dietmar,

Thanks for the answer.

root@proxmox1:~# pve-firewall status
Status: disabled/running

root@proxmox1:~# pve-firewall compile
no changes
firewall disabled
 
Just an update, I've enabled firewall via cluster.fw and now the status show it running:

root@proxmox1:~# pve-firewall status
Status: enabled/running

I have however on a VM the following rules:

root@proxmox1:/etc/pve/firewall# cat 101.fw
[RULES]

OUT DROP
IN DROP

but I can access that VM fine via 80 port for example.
 
You must understand that Proxmox has 3 levels firewall: Datacenter, Node and VM.

CAUTION!!! In Datacenter -- Firewall: you must set INPUT and OUTPUT Policy = ACCEPT, otherwise you will be blocked yourself!!!

Since you need to Blocking port 80 on VM 101, then you must:
1. Enable Firewall on VM: click VM 101 -- Firewall tab -- options: Enable Firewall = Yes
2. Add rule: IN DROP 80 tcp then click Enable
 
but I have as mentioned above in vm 101 the rules to drop everything, all ports but I can still connect. Firewall is enabled on VM and Datacenter.
I want a rule to block everything/all traffic apart from the ports that I will exclude. in out DROP seems to do nothing in VM 101.

root@proxmox1:/etc/pve/firewall# cat 101.fw
[RULES]

OUT DROP
IN DROP
 
You must enable Firewall on VM 101. Mine like this:

Code:
# cat /etc/pve/firewall/1000001.fw
[OPTIONS]

enable: 1

[RULES]

IN DROP -p tcp -dport 80

Also, for Qemu/KVM VM you must enable "Firewall" on Network Device (Click VM 101 -- Hardware - Network Device).
 
That did the trick:

[OPTIONS]

enable: 1

I thought by enabling the firewall via the gui will be enough but it seems that needs to add the above on every file.
Is that the normal behaviour?

Thanks a lot
 
I did select all locations but doesn't work unless I add the entry to the conf file. After than everything works fine.
 
i think u have to set the cluster file, testing atm
dont forget to set the policys to accept do :p
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!