Enabling cluster firewall for the first time

[GodZone]

I definitely admit to being a Proxmox newbie having used VMware until very recently. I am working through the various aspects of configuring Proxmox but had to transition from ESX to Proxmox very quickly so I haven't had a lot of time to experiment. My cluster is already in production.

I am trying to secure the cluster hosts, I have created an IPset with all of the networks that are 'allowed', I have then created rules that allow SSH and HTTPS on 8006 with those as source addresses. I login to one of the node (just in case via ssh) then enable the firewall. I then lose both web and ssh access so need to disable form the cli. There must be something fundamental I am missing but I can't see what it is.

Any assistance would be appreciated.

I am running Proxmox 5.0-30
root@agree-90:~# more /etc/pve/firewall/cluster.fw

[OPTIONS]

enable: 1

[IPSET management]

xxx.123.0.0/16
xxx.47.115.238
xxx.138.251.0/24
2xxx:4530::/32
2xxx:df0:dc::/48
2xxx:2380:e001:7500::/56

[RULES]

IN ACCEPT -source +management -p tcp -dport 8006 # GodZone HTTPS Management
IN SSH(ACCEPT) -source +management # GodZone SSH Management

 

[Richard]

I definitely admit to being a Proxmox newbie having used VMware until very recently. I am working through the various aspects of configuring Proxmox but had to transition from ESX to Proxmox very quickly so I haven't had a lot of time to experiment. My cluster is already in production.

I am trying to secure the cluster hosts, I have created an IPset with all of the networks that are 'allowed', I have then created rules that allow SSH and HTTPS on 8006 with those as source addresses. I login to one of the node (just in case via ssh) then enable the firewall. I then lose both web and ssh access so need to disable form the cli. There must be something fundamental I am missing but I can't see what it is.

Any assistance would be appreciated.

I am running Proxmox 5.0-30
root@agree-90:~# more /etc/pve/firewall/cluster.fw

[OPTIONS]

enable: 1

[IPSET management]

xxx.123.0.0/16
xxx.47.115.238
xxx.138.251.0/24
2xxx:4530::/32
2xxx:df0:dc::/48
2xxx:2380:e001:7500::/56

[RULES]

IN ACCEPT -source +management -p tcp -dport 8006 # GodZone HTTPS Management
IN SSH(ACCEPT) -source +management # GodZone SSH Management

Settings are formally correct - what I can imagine: The management source addresses look line public internet IP addresses, can be that because of routing between the management clients and Proxmox host there is somewhere NAT and those addresses are not seen in the incoming packets @ Proxmox any more.

In order to clarify this: set in Datacenter -> Firewall -> Option INPUT policy to ACCEPT in order to not get blocked - then investigate via tcpdump the incoming packets from your management clients in order to check how the source addresses look like.

 

[GodZone]

There is no NAT involved which is why I REALLY want to get the firewall in place to prevent unauthorised access. Changing the Input policy to allow me to investigate further is a great idea, not sure why I didn't think of that

 

[GodZone]

With the policy set to ACCEPT, I ssh'ed to nodes 1 and 2. I had a web session to host1 and 'enabled' the firewall. running pve-firewall status, both hosts showed the status as enable/running (pending changes), then I lost connectivity to host2. host1 and my web session were still fine. Disabling the firewall and I can get back into host2. Any ideas ?