Datacenter Firewall not affecting node (?)

krystofr

Member
Dec 30, 2016
20
1
23
churchweb.uk
I'm using proxmox 4.4

I have one node with VMs

I have just activated the firewall on datacentre with following options set:

Firewall: enabled
Input Policy: Drop
Output Policy: Allow

In the rules I have a security group called proxmox which contains IN access for
  • Web interface: 8006
  • pvedaemon (listens only on 127.0.0.1): 85
  • SPICE proxy: 3128
  • sshd (used for cluster actions): 22
  • rpcbind: 111
  • corosync multicast (if you run a cluster): 5404, 5405 UDP

There is nothing else allowed.
Therefore why is it that when I access the proxmox installation by SSH, service which require to receive data on port 80, such as the acme.sh script for renewing lets encrypt certificates work just fine. Surely with the Input Police as DROP - this should be blocked?

Any ideas what I'm missing here?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!