I know "firewall" is on the roadmap, but I have no idea what your intentions are so I thought I would try and get my own in 
(I am using proxmox to provide a virtual cloud for my development team as oppose to a reseller, so my requirements might be general enough.)
It would be great if the web GUI allowed me to:
- register additional public IPs onto eth0
- allow me to define port forwarding from those public IPs to the virtual machines
For background I like to keep all my virtual machines on a private vnet (i.e. with a 10.... IP address) and have the public IP addresses mapped to the host (or alternatively another VM) (as described by the excellent http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/). I then use port forwarding from the host to the virtual machines. This has a number of benefits/downsides.
* benefits
The VMs do not need to worry about running their own firewall - they can only be accessed from the host or another virtual machine. There is a single file on the host which defines all the port forwarding
There is a disconnect between the public IP and the actual virtual host. If I want to replace one machine with another (i.e. for an upgrade) it is a simple modification to the host's port forwarding rule - DNS or public IPs do not need to change.
Allows exclusively private machines - i.e. I have an ldap machine which the other public machines authenticate against. I don't want the ldap machine publicly exposed.
One public IP can be shared by multiple virtual machines (i.e. one for virtual machine for publicIP:ftp, one for publicIP:www)
* downsides
Migration across the cluster is harder - it requires moving the public IP address from one physical machine to another. Would be *great* if that could be handled by the GUI, i.e. define a pool of public IPs.
Adding a new service to a VM requires the VM configuration as well as the additional rule to the host firewall
I don't think this would scale for huge number of VMs (remember there is a single configuration file for all the port forwards for all the VMs).
Anyway, that is what I do - and I don't think it is that much of an edge case. Being able to do all this through the GUI would be great.
Col
(I am using proxmox to provide a virtual cloud for my development team as oppose to a reseller, so my requirements might be general enough.)
It would be great if the web GUI allowed me to:
- register additional public IPs onto eth0
- allow me to define port forwarding from those public IPs to the virtual machines
For background I like to keep all my virtual machines on a private vnet (i.e. with a 10.... IP address) and have the public IP addresses mapped to the host (or alternatively another VM) (as described by the excellent http://www.myatus.co.uk/2009/08/31/guide-firewall-and-router-with-proxmox/). I then use port forwarding from the host to the virtual machines. This has a number of benefits/downsides.
* benefits
The VMs do not need to worry about running their own firewall - they can only be accessed from the host or another virtual machine. There is a single file on the host which defines all the port forwarding
There is a disconnect between the public IP and the actual virtual host. If I want to replace one machine with another (i.e. for an upgrade) it is a simple modification to the host's port forwarding rule - DNS or public IPs do not need to change.
Allows exclusively private machines - i.e. I have an ldap machine which the other public machines authenticate against. I don't want the ldap machine publicly exposed.
One public IP can be shared by multiple virtual machines (i.e. one for virtual machine for publicIP:ftp, one for publicIP:www)
* downsides
Migration across the cluster is harder - it requires moving the public IP address from one physical machine to another. Would be *great* if that could be handled by the GUI, i.e. define a pool of public IPs.
Adding a new service to a VM requires the VM configuration as well as the additional rule to the host firewall
I don't think this would scale for huge number of VMs (remember there is a single configuration file for all the port forwards for all the VMs).
Anyway, that is what I do - and I don't think it is that much of an edge case. Being able to do all this through the GUI would be great.
Col