[Feature request 1]
I want to set different firewall rules for different interfaces on the same virtual machine.
So the firewall setting no longer attached to the VM, it attaches to NIC instead.
Like this:
In my case, on eth1, the VM acts as a normal client. However, on eth2, it functions as a router gateway, so we need to allow DHCP and IP spoofing on it.
At the system level, each interface creates a virtual Ethernet (veth) on the host system, and all veths are independent.
I believe if Proxmox allows us to set firewall rules for different interfaces independently, it would greatly enhance flexibility and security in virtualized environments.
[Feature request2]
I want an option that we can add an firewall action called "NOTRACK".
Proxmox firewall drops all conntrack_invalid packet on "every interface" and we can't tuning it.
In my network setup, we have a specific vlan running asymmetric-routing protocol such as OSPF in it.
And this option blocks all asymmetric routing traffic which cause huge problem in my system.
The only way to disable this is disable the firewall at datacenter level, another solution is set
But
And the
So, I want an option that called "NOTRACK" in the firewall settings for each interface.
Which generates an native iptables rules
I want to set different firewall rules for different interfaces on the same virtual machine.
So the firewall setting no longer attached to the VM, it attaches to NIC instead.
Like this:
- eth1:
- Enable IP filtering (Do not allow IP spoofing)
- Enable MAC filtering (Do not allow MAC spoofing)
- Disallow DHCP
- eth2:
- Disable IP filtering (Allow IP spoofing)
- Enable MAC filtering (Do not allow MAC spoofing)
- Allow DHCP
In my case, on eth1, the VM acts as a normal client. However, on eth2, it functions as a router gateway, so we need to allow DHCP and IP spoofing on it.
At the system level, each interface creates a virtual Ethernet (veth) on the host system, and all veths are independent.
I believe if Proxmox allows us to set firewall rules for different interfaces independently, it would greatly enhance flexibility and security in virtualized environments.
[Feature request2]
I want an option that we can add an firewall action called "NOTRACK".
Proxmox firewall drops all conntrack_invalid packet on "every interface" and we can't tuning it.
In my network setup, we have a specific vlan running asymmetric-routing protocol such as OSPF in it.
And this option blocks all asymmetric routing traffic which cause huge problem in my system.
The only way to disable this is disable the firewall at datacenter level, another solution is set
nf_conntrack_allow_invalid: 1 on system firewall.But
nf_conntrack_allow_invalid is simply allow the invalid packet, it still doing conntrack on the packet which consumes a lot of system resources.And the
nf_conntrack_allow_invalid is also datacenter level. I want to allow asymmetric-routing on specific vlan/bridge/interface onlySo, I want an option that called "NOTRACK" in the firewall settings for each interface.
Which generates an native iptables rules
iptables -t raw -I PREROUTING -i $IFACE -j NOTRACK for the bridge/interface , then stop conntrack on any packets [from the interface]/[to the bridge] and allows asymmetric routing traffic on it.
Last edited:
