Enabling cluster firewall for the first time

GodZone

Well-Known Member
I definitely admit to being a Proxmox newbie having used VMware until very recently. I am working through the various aspects of configuring Proxmox but had to transition from ESX to Proxmox very quickly so I haven't had a lot of time to experiment. My cluster is already in production.

I am trying to secure the cluster hosts, I have created an IPset with all of the networks that are 'allowed', I have then created rules that allow SSH and HTTPS on 8006 with those as source addresses. I login to one of the node (just in case via ssh) then enable the firewall. I then lose both web and ssh access so need to disable form the cli. There must be something fundamental I am missing but I can't see what it is.

Any assistance would be appreciated.

I am running Proxmox 5.0-30
root@agree-90:~# more /etc/pve/firewall/cluster.fw

[OPTIONS]

enable: 1

[IPSET management]

xxx.123.0.0/16
xxx.47.115.238
xxx.138.251.0/24
2xxx:4530::/32
2xxx:df0:dc::/48
2xxx:2380:e001:7500::/56

[RULES]

IN ACCEPT -source +management -p tcp -dport 8006 # GodZone HTTPS Management
IN SSH(ACCEPT) -source +management # GodZone SSH Management
 
I definitely admit to being a Proxmox newbie having used VMware until very recently. I am working through the various aspects of configuring Proxmox but had to transition from ESX to Proxmox very quickly so I haven't had a lot of time to experiment. My cluster is already in production.

I am trying to secure the cluster hosts, I have created an IPset with all of the networks that are 'allowed', I have then created rules that allow SSH and HTTPS on 8006 with those as source addresses. I login to one of the node (just in case via ssh) then enable the firewall. I then lose both web and ssh access so need to disable form the cli. There must be something fundamental I am missing but I can't see what it is.

Any assistance would be appreciated.

I am running Proxmox 5.0-30
root@agree-90:~# more /etc/pve/firewall/cluster.fw

[OPTIONS]

enable: 1

[IPSET management]

xxx.123.0.0/16
xxx.47.115.238
xxx.138.251.0/24
2xxx:4530::/32
2xxx:df0:dc::/48
2xxx:2380:e001:7500::/56

[RULES]

IN ACCEPT -source +management -p tcp -dport 8006 # GodZone HTTPS Management
IN SSH(ACCEPT) -source +management # GodZone SSH Management


Settings are formally correct - what I can imagine: The management source addresses look line public internet IP addresses, can be that because of routing between the management clients and Proxmox host there is somewhere NAT and those addresses are not seen in the incoming packets @ Proxmox any more.

In order to clarify this: set in Datacenter -> Firewall -> Option INPUT policy to ACCEPT in order to not get blocked - then investigate via tcpdump the incoming packets from your management clients in order to check how the source addresses look like.
 
With the policy set to ACCEPT, I ssh'ed to nodes 1 and 2. I had a web session to host1 and 'enabled' the firewall. running pve-firewall status, both hosts showed the status as enable/running (pending changes), then I lost connectivity to host2. host1 and my web session were still fine. Disabling the firewall and I can get back into host2. Any ideas ?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!