enabled UFW, allowed rules - Nothign accesable anymore

Many people do not realise just how secure the windows ntlm2 auth actually is. Providing you use a good password and don't have a ton of other ports / exploitable services open then there is no problem having RDP access enabled externally. Many many hosting providers do this already, its no different to enabling SSH access to a linux box really.... Come on, we are not talking telnet here, nor are we talking insecure windows XP machines that are 3 service packs behind anymore.

I myself prefer to close off all but the requires ports for running services and then VPN into the internal networks for management.
 
This is good to hear Tom. I would also assume similar, which shouldnt make people act laxly around this topic.

Therefor I want to set up rules of the GUI firewall now but see a lack in documentation regarding the GUI itself.
I refer to the Popup when setting a rule especially.

I would now suggest, to not close myself out, to set the firewall to ACCEPT in and out first, at options tab.
Then set a rule after the other...
Now, when I use the macro http for port 80, I dont need to fill anything else out?
I only have one network node and dont use other IPs, does it cover it automatidcally or do I have to tel it vmbr0 for example at interface?

What is with source and destination and ports and so? Do I need to enter anything?

Should I use the macro anway?
Should I use security groups ?

Also please take a look at the sreenshot of the rules...

fw-settings.png

Thx in advance



Andre
 
Last edited:
Sorry, I should have posted the question on the screenshot also here...
1. When I use Macros are no other settings needed ?
2. I only use one network, so eth0 is the server node and vmbr0 is the complete data center. When setting up the FW on datacenter level, do I not need to add anythign for eth0 ?? Or do I Double the entries?
3. Source and destianation port .. is this used for setting a port range ? Like e.g. the VNC 5900 (source) to 5999 (dest. Port) ??
4. When I want to block RDP over all machines is it enough like in the screener ? Just because the setting itself... I know when in and out is blocked that certain accept rules are the only ones allowed... Just as this out of interest.
 
Mmmh, okay,, now I become a bit irritated... Sometimes the easy way shall turn out to be the rocky way
...
With this setup I got closed out from proxmox panel (yes, was online with shell when playing with the FW, so I just switched it off with service pve-firewall stop)...
But why?
How is the right setup ?

Look please:

fw-settings2.png
 
Client machines use random ports to connect to a destination port. Remove the source port numbers.
 
Client machines use random ports to connect to a destination port. Remove the source port numbers.
how does the machine know which port I am talking about when not using a macro...
how would a cmplete rule setup look like ? Pls
 
When configuring a firewall you typically don't use SOURCE port because applications on the client side will pick a random port.

Selecting a DESTINATION port indicates what the client is talking to, which is where you configure your firewall rule.
 
When configuring a firewall you typically don't use SOURCE port because applications on the client side will pick a random port.

Selecting a DESTINATION port indicates what the client is talking to, which is where you configure your firewall rule.

Sorry, that I only used very simple firewalls basic stuff till today...
Never heard of this...

So, I set a dest port and this is 8006 when I want to enter the panel and then am fine ?
 
Good to see you got it working.

May I suggest you do some research on the Linux IPTables firewall in general as it helps to have an understanding of it before wildly playing with the rules in proxmox.

Also as others have said.... You need to work with destination ports since these are the target ports that people will be trying to connect to... For example if you are running a web server in a vm then common destination ports would be 80 or 443 for example... However the source port is always randomised on the client since this is how IP networking works.

So..... Client PC (port 1234) > Server (Port 80) is an example.
 
Yes, is a good suggestion, I will follow.
But is it now needed, that I "double set" the rules? One on eth0 and the same on vmbr0 also ?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!