Few questions about Proxmox Firewall

joeleo

Active Member
Apr 24, 2009
51
1
26
Hi, just now testing out the Proxmox FW and have a few questions below.

- I see a "Firewall" tab in both Datacenter View and Node View... What is the difference with the two.

- I created a rule that don't seem to work. I'm creating a rule to allow connection to Hostnode via specific external source ip and this don't seem to work at all. Here's the rule created.

IN Accept -i eth0 -source ext-ip-address -dest proxmox-hostnode-ip -p tcp -dport 8006 # Ext access to proxmox gui
IN Accept -i eth0 -source ext-ip-address -dest proxmox-hostnode-ip -p tcp -dport 22 # Ext access to hostnode ssh

also, created an explicit deny rule as follows:

IN drop -i eth0

After creating the above rule and have rule enabled I can't access proxmox gui or ssh to hostnode. I have to stop firewall to gain back access. What is wrong? I'm wondering if the firewall doesn't understand a rule to itself (hostnode interface ip)?

- I was wondering if Proxmox had a built-in catch all explicit deny rule? Or should one manually create it as above.


Thanks in advance for your help!
 
Hey,
normally this should work as you configured it.
Maybe your Internet is connected on eth1 or something different?

If you want to I can assist you via TeamViewer. Just send me a PN with your ID + password.
If you want to, you can also add me on Skype. Just ask via private message for it.

Best regards
Henry
 
@Phinitris, thanks for your feedback. Yeah my internet connection is on ETH1 and the rules actually is configured for ETH1. I'm able to access site once the rules are disabled so I know connectivity is good. Do you have a similar configuration or can you test this out. I'm suspecting the Firewall itself may not be working when having a rule with destination address as the firewall hostnode.

Also, wanted to clarify that with the rule below I'm able to access the proxmox GUI from any IPaddress. That is what's concerning as I should only be able to access the web gui and ssh to hostnode ONLY via my ext-ip-address that i defined.

IN Accept -i eth1 -source ext-ip-address -dest proxmox-hostnode-ip -p tcp -dport 8006 # Ext access to proxmox gui
IN Accept -i eth1 -source ext-ip-address -dest proxmox-hostnode-ip -p tcp -dport 22 # Ext access to hostnode ssh
 
Last edited:
Hey,
have you set the global datacenter INPUT Policy to DROP and enabled the firewall in the datacenter and the node tab?

Best regards
Henry
 
hello, any update on this? is this a bug? i create rules for the node via webinterface but they don´t seem to work out. does anyone know where the node-rules are saved to? /etc/pvefirewall/cluster.fw does not seem to contain these rules here...
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!