Firewall cluster config

A

andy77

Renowned Member
Proxmox Subscriber
Jul 6, 2016
248
13
83
41
Hello @ all,

I am pretty new to proxmox and try now to figure out how to config the firewall the best.

I have done now the following config at "datacenter" level:
http://prntscr.com/bt7143
http://prntscr.com/bt60pd

And have enabled the firewall at the nodes:
http://prntscr.com/bt60xf

So now, as I understand, only the port 22 should be fully open to anyone on eth0.
The port 655 and 8006 is only open on the specified IPs.

And vmbr1 (local vpn network) is allowed everything.

Now when I portscan my node outside of the local vpn, I see following prots open:

22 - this is clear
25
110
119
143
465
563
587
993
995

So I do not understand why all these prots are open??

Thanks a lot for any help

Regards
Andy
 
Last edited:
Did you set the firewall-option on the network device itself in the hardware tab? This is IMHO also necessary.

You can always check on the command line with

Code: 
iptables -vnL

if there are rules and what they do. After setting up the firewall correctly, there should be rules in there.
 
Problem is that the firewall itself opens a lot of Proxmox VE ports like 8006 etc. so I ended up writing rules that explicitly close that ports:

Code: 
root@pvelocalhost:~# iptables -vnL PVEFW-HOST-IN
Chain PVEFW-HOST-IN (1 references)
pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
  140 12772 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   23  4908 PVEFW-smurfs  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW
    0     0 RETURN     2    --  *      *       0.0.0.0/0            0.0.0.0/0           
   23  4908 GROUP-proxmox-IN  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    1    60 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x80000000/0x80000000
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:8006
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:3128
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:22
    0     0 RETURN     udp  --  *      *       10.192.0.0/16        10.192.0.0/16        udp dpts:5404:5405
    0     0 RETURN     udp  --  *      *       10.192.0.0/16        0.0.0.0/0            ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405
   22  4848 PVEFW-Reject  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 PVEFW-reject  all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]
    0     0            all  --  *      *       0.0.0.0/0            0.0.0.0/0

root@pvelocalhost:~# iptables -vnL GROUP-proxmox-IN
Chain GROUP-proxmox-IN (1 references)
pkts bytes target     prot opt in     out     source               destination         
   30  6631 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            MARK and 0x7fffffff
    0     0 PVEFW-reject  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3128
    0     0 PVEFW-reject  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8006
    1    60 PVEFW-SET-ACCEPT-MARK  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  tcp dpt:22
    0     0 PVEFW-SET-ACCEPT-MARK  icmp --  *      *       0.0.0.0/0            0.0.0.0/0           [goto]  icmptype 8
   29  6571            all  --  *      *       0.0.0.0/0            0.0.0.0/0
 
Hmm, but shouldn't do the "Dropp all incoming" do the same?
In my case it closes the 8006 port (I had to explicit allow this port on a specific IP), but others like 25 are still open and I don't know why.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back