Confused about interface setup on firewall

A

asmar

Renowned Member
Nov 15, 2014
108
0
81
Hi all,

I've just installed the latest Proxmox (3.3-1) and would like to ask a few questions about the firewall setup as it's not very clear to me.

I have about 10 virtual machines running on server all with static IP and KVM.
On the host if I run ifconfig I'm getting the following:

Code: 
root@proxmox1:~# ifconfig 
eth0      Link encap:Ethernet  HWaddr 68:05:ca:05:73:cb  
          inet6 addr: fe80::6a05:caff:fe05:73cb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:191680591 errors:0 dropped:0 overruns:0 frame:0
          TX packets:199428576 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:64649438773 (60.2 GiB)  TX bytes:236203383427 (219.9 GiB)
          Interrupt:18 Memory:fe4c0000-fe4e0000 

fwbr100i0 Link encap:Ethernet  HWaddr b2:2e:7d:c6:08:82  
          inet6 addr: fe80::f801:3dff:fec0:28bd/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3592907 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:180655070 (172.2 MiB)  TX bytes:468 (468.0 B)

fwbr101i0 Link encap:Ethernet  HWaddr b2:1d:10:09:5e:0a  
          inet6 addr: fe80::c075:65ff:fe88:ca82/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3592194 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:180618528 (172.2 MiB)  TX bytes:468 (468.0 B)

fwbr102i0 Link encap:Ethernet  HWaddr 3a:56:61:c3:43:21  
          inet6 addr: fe80::a4ca:ecff:feb2:2b93/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6006786 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:301498381 (287.5 MiB)  TX bytes:468 (468.0 B)

fwbr106i0 Link encap:Ethernet  HWaddr 62:75:c7:2f:6e:6d  
          inet6 addr: fe80::f87b:a6ff:fe14:ad79/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:331539 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:16617832 (15.8 MiB)  TX bytes:468 (468.0 B)

fwbr107i0 Link encap:Ethernet  HWaddr ce:52:bd:99:1b:cc  
          inet6 addr: fe80::6874:edff:fe85:5461/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:894423 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:44917119 (42.8 MiB)  TX bytes:468 (468.0 B)

fwbr108i0 Link encap:Ethernet  HWaddr aa:9a:dc:32:bb:8b  
          inet6 addr: fe80::10ca:e9ff:fee5:e35a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:617164 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:30977121 (29.5 MiB)  TX bytes:468 (468.0 B)

fwln100i0 Link encap:Ethernet  HWaddr b2:2e:7d:c6:08:82  
          inet6 addr: fe80::b02e:7dff:fec6:882/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4994679 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2131810 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:594587062 (567.0 MiB)  TX bytes:1985056649 (1.8 GiB)

fwln101i0 Link encap:Ethernet  HWaddr b2:1d:10:09:5e:0a  
          inet6 addr: fe80::b01d:10ff:fe09:5e0a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4491873 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1360546 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:358136083 (341.5 MiB)  TX bytes:824080330 (785.9 MiB)

fwln102i0 Link encap:Ethernet  HWaddr 3a:56:61:c3:43:21  
          inet6 addr: fe80::3856:61ff:fec3:4321/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:58030895 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77907132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:24438825405 (22.7 GiB)  TX bytes:81439102308 (75.8 GiB)

fwln106i0 Link encap:Ethernet  HWaddr 62:75:c7:2f:6e:6d  
          inet6 addr: fe80::6075:c7ff:fe2f:6e6d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5186823 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4436326 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4799164491 (4.4 GiB)  TX bytes:4465479952 (4.1 GiB)

fwln107i0 Link encap:Ethernet  HWaddr ce:52:bd:99:1b:cc  
          inet6 addr: fe80::cc52:bdff:fe99:1bcc/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1198847 errors:0 dropped:0 overruns:0 frame:0
          TX packets:315302 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:652191628 (621.9 MiB)  TX bytes:29610553 (28.2 MiB)

fwln108i0 Link encap:Ethernet  HWaddr aa:9a:dc:32:bb:8b  
          inet6 addr: fe80::a89a:dcff:fe32:bb8b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1976352 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1420885 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2641105127 (2.4 GiB)  TX bytes:892454601 (851.1 MiB)

fwpr100p0 Link encap:Ethernet  HWaddr 16:24:cb:a7:49:c5  
          inet6 addr: fe80::1424:cbff:fea7:49c5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2131810 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4994679 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1985056649 (1.8 GiB)  TX bytes:594587062 (567.0 MiB)

fwpr101p0 Link encap:Ethernet  HWaddr f6:85:c9:58:d9:ad  
          inet6 addr: fe80::f485:c9ff:fe58:d9ad/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1360546 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4491873 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:824080330 (785.9 MiB)  TX bytes:358136083 (341.5 MiB)

fwpr102p0 Link encap:Ethernet  HWaddr e6:ca:dd:5f:38:58  
          inet6 addr: fe80::e4ca:ddff:fe5f:3858/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:77907132 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58030895 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:81439102308 (75.8 GiB)  TX bytes:24438825405 (22.7 GiB)

fwpr106p0 Link encap:Ethernet  HWaddr e6:0c:7e:a5:10:36  
          inet6 addr: fe80::e40c:7eff:fea5:1036/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4436326 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5186823 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4465479952 (4.1 GiB)  TX bytes:4799164491 (4.4 GiB)

fwpr107p0 Link encap:Ethernet  HWaddr 9e:91:6a:d3:09:4b  
          inet6 addr: fe80::9c91:6aff:fed3:94b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:315302 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1198847 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29610553 (28.2 MiB)  TX bytes:652191628 (621.9 MiB)

fwpr108p0 Link encap:Ethernet  HWaddr e2:cc:44:16:87:96  
          inet6 addr: fe80::e0cc:44ff:fe16:8796/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1420885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1976352 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:892454601 (851.1 MiB)  TX bytes:2641105127 (2.4 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1877576 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1877576 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1091949710 (1.0 GiB)  TX bytes:1091949710 (1.0 GiB)

tap100i0  Link encap:Ethernet  HWaddr a2:29:9a:d4:fd:24  
          inet6 addr: fe80::a029:9aff:fed4:fd24/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:2131798 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5024182 errors:0 dropped:6980 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:1985055809 (1.8 GiB)  TX bytes:596532537 (568.8 MiB)

tap101i0  Link encap:Ethernet  HWaddr be:1b:90:fa:fd:64  
          inet6 addr: fe80::bc1b:90ff:fefa:fd64/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1360536 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4492956 errors:0 dropped:613 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:824079622 (785.9 MiB)  TX bytes:358209122 (341.6 MiB)

tap102i0  Link encap:Ethernet  HWaddr ba:76:ad:18:03:b5  
          inet6 addr: fe80::b876:adff:fe18:3b5/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:77907126 errors:0 dropped:0 overruns:0 frame:0
          TX packets:64909068 errors:0 dropped:86673 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:81439102008 (75.8 GiB)  TX bytes:24893658819 (23.1 GiB)

tap106i0  Link encap:Ethernet  HWaddr d2:14:eb:63:8b:6b  
          inet6 addr: fe80::d014:ebff:fe63:8b6b/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:4436320 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6368318 errors:0 dropped:12438 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:4465479652 (4.1 GiB)  TX bytes:4877108115 (4.5 GiB)

tap107i0  Link encap:Ethernet  HWaddr 6e:8c:33:50:e4:7e  
          inet6 addr: fe80::6c8c:33ff:fe50:e47e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:315292 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1390452 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:29609893 (28.2 MiB)  TX bytes:663019872 (632.3 MiB)

tap108i0  Link encap:Ethernet  HWaddr 76:f7:44:5f:9e:f9  
          inet6 addr: fe80::74f7:44ff:fe5f:9ef9/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1420879 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2718960 errors:0 dropped:8900 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:892454301 (851.1 MiB)  TX bytes:2690126975 (2.5 GiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet6 addr: fe80::1/128 Scope:Link
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

vmbr0     Link encap:Ethernet  HWaddr 68:05:ca:05:73:cb  
          inet addr:192.168.1.155  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::6a05:caff:fe05:73cb/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:111284423 errors:0 dropped:0 overruns:0 frame:0
          TX packets:34410132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:24628943646 (22.9 GiB)  TX bytes:137114365662 (127.6 GiB)

Only vmbr0 seems to have the "live" network details (i've changed the live ip with a test one).

Under proxmox firewall, when I click on add rule which interface from all the above I need to include to pass the rule to all VMs? Same if I need to create a security group?
Do I need to use the vmbr0?

I will add some generic rules which I want to apply to all VMs running in the node.

Also under source and destination fields what should I put to be available in all VMs?

Thanks in advance.
 
Last edited:
Thanks a lot for the reply. I've setup in and out to ACCEPT under datacenter tab and then setup in a VM in and out to DROP but I can still access the web server for example on that VM. Do I need to restart somehow the firewall?

Thanks
 
I've tried to start the firewall from terminal as per wiki instructions and getting the following error:

root@proxmox1:~# pve-firewall start
ERROR: can't aquire lock '/var/run/pve-firewall.pid.lock' - Resource temporarily unavailable
 
I guess it is already running:

# pve-firewall status

Please can you post the output of

# pve-firewall compile
 
Hi Dietmar,

Thanks for the answer.

root@proxmox1:~# pve-firewall status
Status: disabled/running

root@proxmox1:~# pve-firewall compile
no changes
firewall disabled
 
Just an update, I've enabled firewall via cluster.fw and now the status show it running:

root@proxmox1:~# pve-firewall status
Status: enabled/running

I have however on a VM the following rules:

root@proxmox1:/etc/pve/firewall# cat 101.fw
[RULES]

OUT DROP
IN DROP

but I can access that VM fine via 80 port for example.
 
You must understand that Proxmox has 3 levels firewall: Datacenter, Node and VM.

CAUTION!!! In Datacenter -- Firewall: you must set INPUT and OUTPUT Policy = ACCEPT, otherwise you will be blocked yourself!!!

Since you need to Blocking port 80 on VM 101, then you must:
1. Enable Firewall on VM: click VM 101 -- Firewall tab -- options: Enable Firewall = Yes
2. Add rule: IN DROP 80 tcp then click Enable
 
but I have as mentioned above in vm 101 the rules to drop everything, all ports but I can still connect. Firewall is enabled on VM and Datacenter.
I want a rule to block everything/all traffic apart from the ports that I will exclude. in out DROP seems to do nothing in VM 101.

root@proxmox1:/etc/pve/firewall# cat 101.fw
[RULES]

OUT DROP
IN DROP
 
You must enable Firewall on VM 101. Mine like this:

Code: 
# cat /etc/pve/firewall/1000001.fw
[OPTIONS]

enable: 1

[RULES]

IN DROP -p tcp -dport 80

Also, for Qemu/KVM VM you must enable "Firewall" on Network Device (Click VM 101 -- Hardware - Network Device).
 
That did the trick:

[OPTIONS]

enable: 1

I thought by enabling the firewall via the gui will be enough but it seems that needs to add the above on every file.
Is that the normal behaviour?

Thanks a lot
 
I did select all locations but doesn't work unless I add the entry to the conf file. After than everything works fine.
 
i think u have to set the cluster file, testing atm
dont forget to set the policys to accept do :P
 
You must log in or register to reply here.
Top Bottom