Disable Firewall for Ceph-Interfaces

It is still recommended to disable the firewall for Ceph traffic interfaces by setting enable 0 in /etc/pve/firewall/cluster.fw.
 
With this setting, you disable the firewall for the whole cluster. This cant be the solution.

The question was, how i can disable the firewall only for the interfaces who will be used for ceph traffic. Or in other words, how can i enable it only for the interfaces for the public traffic?
 
Working on our first Proxmox cluster so I'm also interested.

Per https://pve.proxmox.com/pve-docs/pve-firewall.8.html there's a macro for Ceph, so I think something like this should work, with "nodes" being an ipset, and net0 changed to the Ceph network?

IN Ceph(ACCEPT) -i net0 -source +nodes

Or just allow all of course. Which I realize isn't answering your question but I'm not finding a way to disable it on one interface either.
 
If i unterstand right, you only need the Ceph-Macros if you use Ceph and Proxmox-VMs on the same host/cluster.
We use two seperate cluster (one for ceph, one for VMs). So i think we need this rules not on the VM-Cluster.
Or in outher words, we have tested run VMs who need Ceph-Connection for his disks and the worked - without any Ceph-Rules on the VM-Cluster :)

My Target/Which will be, that the Firewall-Rules only Apply on the Interfaces of the VM-Cluster, who connected to the Public-Internet (e.g. bond0).
Because all other Interfaces etc. are only accessable from internal networks and not reachable from the internet.
 
I agree that would be ideal/best. In our cluster the Ceph storage network will not be connected to anything else either.
 
You must log in or register to reply here.
Top Bottom