differences between firewall level
- Thread starter vigilian
- Start date
Rules on datacenter level apply to all nodes. Rules on node-level apply only to the node and supersede datacenter-level rules. Rules on VM level apply only to the VM and supersede the other rules and are unaffected by the datacenter and node rules (VMs are like their own separate entities).
Last edited:
Okey but there is no general policy on the node correct? so the general policy like drop all incoming should be done only on datacenter and vms? Or should I do a drop in policy?
And I guess also that the node don't give any services like ssh etc? so the ssh rule should be on datacenter?
Hi Wolfgang,
This info is really important and would deserve some lines in the firewall doc with the order in which they are applied.
Thanks for explaining this,
Hakim
This info is really important and would deserve some lines in the firewall doc with the order in which they are applied.
Thanks for explaining this,
Hakim
Last edited:
I wrote a long post about this because I found the firewall utterly confusing and +1 for adding more documentation on the Wiki. The wiki seems to indicate that Rules cascade all the way down to containers/vm's and that is definitely not the case.
THANK YOU wbumiller for clarifying that Datacenter level firewall rules cascade down to the NODES but no further! That helps make a LOT of sense of what I was seeing.
I wrote a long article here about getting the firewall setup in Proxmox 4 (admin, please strip this if outside links aren't allowed for which I apologize. I spent a lot of time writing and didn't want to replicate the effort).
http://www.kiloroot.com/secure-prox...d-more-how-to-configure-from-start-to-finish/
That includes some speak about IPv6 which may or may not be applicable. In that article though I outlined the approach I took.
Regarding vigilian's comment:
"can we conceptualize that the datacenter is the host machine and the node as the virtual concept of entity ? so only if you link some nodes together the firewall of the node should be only use these rules?"
The answer I think would be, NO, that is an incorrect summary of things. Proxmox is built for clustering. So you could easily have multiple NODES in your Datacenter.
The NODE IS the Physical Box. The Datacenter is simply an "organizational unit" or "bucket" that holds nodes. So the best way to think about it, based on what wbumiller said, is that you want some rules applied across all of your physical nodes all the time. Like, you want port 8006 open, and you probably want the clustering ports open if you are clustering. So you would apply that at the DC level and that would "cascade down" to all of your nodes and you shouldn't have to repeat those rules on each node.
However, as wbumiller so helpfully pointed out (and this is what should be clearly explained in the WIKI) is that VM's/Containers are their own little islands. Their firewall's are, as far as I can tell, not affected at all by what you set at the DC and NODE levels. Treat them as such.
Where this gets a bit hairy though is NAT and port forwarding. If you are using port forwarding for a container than I think you may have to have firewall rules setup at either the NODE or DC level allowing access to the publicly exposed side of the NAT equation.
Example:
I have a container with apache running a website on port 80, ON THE CONTAINER.
I have a NAT rule setup on the host forwarding say, port 8080 on my public IP to port 80 on my container.
I think in the above situation, you MIGHT need a rule at the DC or NODE level allowing access to port 8080. I think someone who commented on my article said that they found this to not be true though and we speculated a bit as to why.
Anyhow, I hope all of this rambling is a help
- I wrestled for a couple of days with the Firewall and feel for anyone else in the same boat.
Cheers and good luck.
THANK YOU wbumiller for clarifying that Datacenter level firewall rules cascade down to the NODES but no further! That helps make a LOT of sense of what I was seeing.
I wrote a long article here about getting the firewall setup in Proxmox 4 (admin, please strip this if outside links aren't allowed for which I apologize. I spent a lot of time writing and didn't want to replicate the effort).
http://www.kiloroot.com/secure-prox...d-more-how-to-configure-from-start-to-finish/
That includes some speak about IPv6 which may or may not be applicable. In that article though I outlined the approach I took.
Regarding vigilian's comment:
"can we conceptualize that the datacenter is the host machine and the node as the virtual concept of entity ? so only if you link some nodes together the firewall of the node should be only use these rules?"
The answer I think would be, NO, that is an incorrect summary of things. Proxmox is built for clustering. So you could easily have multiple NODES in your Datacenter.
The NODE IS the Physical Box. The Datacenter is simply an "organizational unit" or "bucket" that holds nodes. So the best way to think about it, based on what wbumiller said, is that you want some rules applied across all of your physical nodes all the time. Like, you want port 8006 open, and you probably want the clustering ports open if you are clustering. So you would apply that at the DC level and that would "cascade down" to all of your nodes and you shouldn't have to repeat those rules on each node.
However, as wbumiller so helpfully pointed out (and this is what should be clearly explained in the WIKI) is that VM's/Containers are their own little islands. Their firewall's are, as far as I can tell, not affected at all by what you set at the DC and NODE levels. Treat them as such.
Where this gets a bit hairy though is NAT and port forwarding. If you are using port forwarding for a container than I think you may have to have firewall rules setup at either the NODE or DC level allowing access to the publicly exposed side of the NAT equation.
Example:
I have a container with apache running a website on port 80, ON THE CONTAINER.
I have a NAT rule setup on the host forwarding say, port 8080 on my public IP to port 80 on my container.
I think in the above situation, you MIGHT need a rule at the DC or NODE level allowing access to port 8080. I think someone who commented on my article said that they found this to not be true though and we speculated a bit as to why.
Anyhow, I hope all of this rambling is a help
- I wrestled for a couple of days with the Firewall and feel for anyone else in the same boat.Cheers and good luck.
Hi,
From what I have seen (looking at the final rules generated by iptables - using iptables-save, as suggested in the doc), the rules that are applied to the containers are FORWARD rules (at the host level). An the default FORWARD chain accept all the traffic.
This might be why the DC and host rules (INPUT and OUTPUT) does not apply to the container.
So you do not need to add your rule on port 8080.
Adding a firewall was really a great step made by Proxmox team.
For people that did not use anything else before, it was not a big deal to active it (it could not be worse). But for people using something else, you need to understand better what services is provided by Proxmox firewall and how it works before deciding to change from the previous system.
And the doc does not really help to decide for that. It gives you some good clues about how to activate it, but not enough info about HOW it works.
I also had to do a lot of tests to find out how it works - and I did not get yet all the default rules that are applied here and there (that are not described in the doc).
This is definitly a good tool that would deserve a better doc.
Hakim
From what I have seen (looking at the final rules generated by iptables - using iptables-save, as suggested in the doc), the rules that are applied to the containers are FORWARD rules (at the host level). An the default FORWARD chain accept all the traffic.
This might be why the DC and host rules (INPUT and OUTPUT) does not apply to the container.
So you do not need to add your rule on port 8080.
Adding a firewall was really a great step made by Proxmox team.
For people that did not use anything else before, it was not a big deal to active it (it could not be worse). But for people using something else, you need to understand better what services is provided by Proxmox firewall and how it works before deciding to change from the previous system.
And the doc does not really help to decide for that. It gives you some good clues about how to activate it, but not enough info about HOW it works.
I also had to do a lot of tests to find out how it works - and I did not get yet all the default rules that are applied here and there (that are not described in the doc).
This is definitly a good tool that would deserve a better doc.
Hakim
like the article, nbeam - good stuff!
my questions is whether these steps in your article also apply for Proxmox VE 3.4?
Specifically asking if i should omit the ports 111 and 85 in the basic security group as they are not default in 3.4:
Proxmox VE 4.x and later port list:
- Web interface: 8006
- pvedaemon (listens only on 127.0.0.1): 85
- VNC Web console: 5900-5999
- SPICE proxy: 3128
- sshd (used for cluster actions): 22
- rpcbind: 111
- corosync multicast (if you run a cluster): 5404, 5405 UDP
- Web interface: 8006
- VNC Web console: 5900-5999
- SPICE console: 3128
- SSH access (only optional): 22
- CMAN multicast (if you run a cluster): 5404, 5405 UDP
thanks