DHCP and NDP options in VM firewall settings

klowet

Active Member
Jun 22, 2018
43
1
28
Hello

In the firewall options of a VM, there are the options 'DHCP' and 'NDP'. What do they do?
When eg. 'DHCP' is set to 'Yes', does the VM send out DHCP requests? Or does he instead replies to DHCP requests?

Thank you
 
Hello

In the firewall options of a VM, there are the options 'DHCP' and 'NDP'. What do they do?
When eg. 'DHCP' is set to 'Yes', does the VM send out DHCP requests? Or does he instead replies to DHCP requests?

Thank you
HI,
with these checkboxes you can allow DHCP and NDP traffic for the VMs. The neccessary rules are then generated and applied if the firewall is active.
 
Hello

What traffic is allowed when these options are activated? Incoming or outgoing?
I don't see these rules in the firewall. Are they invisible applied in the background? If so, how can I view all firewall rules, also the invisible ones?

Another question regarding the firewall. When the firewall is activated on an interface, are the rules applied when the 'Firewall' option in 'Firewall > Options' is set to 'No'?

Same question for the logging. When a firewall rule has logging activated, is the log for that rule saved when eg. the 'log_level_in' option in 'Firewall > Options' is set to 'nolog'?

Thank you
 
Last edited:
Hello

What traffic is allowed when these options are activated? Incoming or outgoing?
I don't see these rules in the firewall. Are they invisible applied in the background? If so, how can I view all firewall rules, also the invisible ones?

Another question regarding the firewall. When the firewall is activated on an interface, are the rules applied when the 'Firewall' option in 'Firewall > Options' is set to 'No'?

Same question for the logging. When a firewall rule has logging activated, is the log for that rule saved when eg. the 'log_level_in' option in 'Firewall > Options' is set to 'nolog'?

Thank you
You can see all the firewall rules by running iptables-save on the node. The rules are only applied if the firewall is enabled at datacenter level as well as for the VM and the corresponding NIC. Further, the log level defined for individual rules is independent of the log level set in Firewall->Options. For further details you might want to have a look at https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall
Hope this helps!
 
For other people googling: The DHCP config flag does allow traffic for DHCP clients (so the VMs can request an IP, but cannot assign IPs to others).
You can see all the firewall rules by running iptables-save on the node.
On our systems, Proxmox (7.4-3) adds following rules to the firewall with that flag enabled:
Code:
-A tap120i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A tap120i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!