Cross "Zone" firewall rules ?

[Squ1sh]

Hi, the documentation says:

The Proxmox VE firewall groups the network into the following logical zones:
Host
Traffic from/to a cluster node
VM
Traffic from/to a specific VM
For each zone, you can define firewall rules for incoming and/or outgoing traffic.

How is this meant ? Are firewall rules on datacenter and node level are for the Zones "Host" and the rules on vm/ct level are for the zone "VM" ?
Or can i mix this and say i.e. "allow tcp dest port 8006 from source zone VM to dest zone Host" ?
I find this a bit confusion because the term zone doesnt appear in the doku afterwards anymore.

 

[spirit]

>>How is this meant ? Are firewall rules on datacenter and node level are for the Zones "Host" and the rules on vm/ct level are for the zone "VM" ?
yes.

host rules are in iptables INPUT/OUTPUT chains , and vm rules are in iptables FORWARD chains.

To simplyfy, it's just like you have separated firewalls for each vm and for host. (even if it's only 1 big iptables rules).

 

[spirit]

>>Or can i mix this and say i.e. "allow tcp dest port 8006 from source zone VM to dest zone Host" ?

if you have default drop/reject rules for host && vms, you need to create 2 rules:

in host firewall : " IN RULE : allow tcp dest port 8006 from source zone VM"
in vm firewall : "OUT RULE: allow tcp dest port 8006 to dest zone Host"

 

[Squ1sh]

Thx for the answers. But in my case i just don't don't see an alias 'VM' or 'Host' in the gui dropdown when i add a new rule. Or when i just enter 'VM' it says: source: no such alias 'VM'. There also no aliases or ipsets defined on Datacenter->firewall->Alias. Shoud they ?