Firewall crap !

AxelTwin

Well-Known Member
Oct 10, 2017
133
6
58
39
I would like to know other customers opinion:

I am an IT senior consultant, been using proxmox tools for almost 10 years, administrating linux systems and all types of firewalls for the same duration.
I love proxmox, made many companies I ve been working for to switch to proxmox PVE/PBS/PMG and I spread the world about how much these tools are great.
But honestly, I find the firewall gui awfull !
It is the opposite of user friendly, allowing making mistake so easily !
I can't count how many times I lost remote hands on my system or how many times I realised there was security holes in my setup.

I am very interested to know what other people think about it
 
Last edited:
Honestly, im not using the Firewall.
Either im using iptables inside the Containers/VM's or Opensense/PFsense in front.

But in my personal opinion, i don't see the Proxmox Firewall any usefull, i mean i dont see generally a need for, like even if it would be perfect i wouldn't use it.
Esxi and other solutions doesn't even have a Firewall, or at least nothing that i would use anyway.

I wouldn't expose the Hypervisor node to the Public internet anyway, no matter if its Proxmox/Esxi/Nutanix/Hyper-V or anything else.
If you need a firewall, passthrough your NIC to your Opnsense/PFsense VM and you're good.

Otherwise it's already perfect, i mean i dont see any benefit, why the Proxmox team should put more time into that Firewall, they can put their time into the Proxmox Core instead, which is a better use of.
The firewall cannot be perfect, i mean it's basically iptables for now and if it gets better, it wont be enough anyway, people will then ask for dynamic rules which open ports only if needed, or sth like ids/ips/surricata etc...
And that will get very fast very complicated.
For such tasks there is Opnsense/Pfsense or any other sort of firewall.

And anyway, Proxmox is very open, its basically a debian, so you can do whatever you want yourself.

So in short, yes its not perfect, but it doesnt need to be.
We should be instead happy of what we have already and that Proxmox has got a major hypervisor without beeing an gigantic money oriented Company like Microsoft/Broadcom.

All i pray every day for, is that nothing changes and no one will try to buy Proxmox xD
Cheers
 
  • Like
Reactions: RodMor
But in my personal opinion, i don't see the Proxmox Firewall any usefull, i mean i dont see generally a need for, like even if it would be perfect i wouldn't use it.
A compromized guest could disable the guests iptables to break out but not PVEs firewall.
There are security groups, aliases, IP sets multiple guests might share so less management required to limit communication between guests of a subnet where the OPNsense wouldn't help.
 
Honestly, im not using the Firewall.
Either im using iptables inside the Containers/VM's or Opensense/PFsense in front.

But in my personal opinion, i don't see the Proxmox Firewall any usefull, i mean i dont see generally a need for, like even if it would be perfect i wouldn't use it.
Esxi and other solutions doesn't even have a Firewall, or at least nothing that i would use anyway.

I wouldn't expose the Hypervisor node to the Public internet anyway, no matter if its Proxmox/Esxi/Nutanix/Hyper-V or anything else.
If you need a firewall, passthrough your NIC to your Opnsense/PFsense VM and you're good.

Otherwise it's already perfect, i mean i dont see any benefit, why the Proxmox team should put more time into that Firewall, they can put their time into the Proxmox Core instead, which is a better use of.
The firewall cannot be perfect, i mean it's basically iptables for now and if it gets better, it wont be enough anyway, people will then ask for dynamic rules which open ports only if needed, or sth like ids/ips/surricata etc...
And that will get very fast very complicated.
For such tasks there is Opnsense/Pfsense or any other sort of firewall.

And anyway, Proxmox is very open, its basically a debian, so you can do whatever you want yourself.

So in short, yes its not perfect, but it doesnt need to be.
We should be instead happy of what we have already and that Proxmox has got a major hypervisor without beeing an gigantic money oriented Company like Microsoft/Broadcom.

All i pray every day for, is that nothing changes and no one will try to buy Proxmox xD
Cheers
Well, while there are plenty different setups and plenty different ways to accomplish them or reach your needs, I assume that if there is a functionality implemented its made for being used and usefull.
Proxmox firewall is very usefull to me for many reasons and the logic is good. but from the user experience point of view it can be improved.
 
Last edited:
I would like to know other customers opinion:

I am an IT senior consultant, been using proxmox tools for almost 10 years, administrating linux systems and all types of firewalls for the same duration.
I love proxmox, made many companies I ve been working for to switch to proxmox PVE/PBS/PMG and I spread the world about how much these tools are great.
But honestly, I find the firewall gui awfull !
It is the opposite of user friendly, allowing making mistake so easily !
I can't count how many times I lost remote hands on my system or how many times I realised there was security holes in my setup.

I am very interested to know what other people think about it
we dont use it at all.
we deploy nftables with ansible
 
  • Like
Reactions: generalproxuser
A compromized guest could disable the guests iptables to break out but not PVEs firewall.
There are security groups, aliases, IP sets multiple guests might share so less management required to limit communication between guests of a subnet where the OPNsense wouldn't help.
If the quest gets compromized, it's too late already in my opinion, then you have lost anyway.
Because the quest will have access to your network and there are multiple ways to break into everything, ssh/samba and so on...

So my general approach is to block everything before that and inspect/monitor/prevent the ports where traffic flows anyway with a firewall.
PVE, no matter how, wouldn't provide anything usefull there.

If something gets still into internal network, sure pve could help there, as an additional layer, which blocks simply everything outgoing,
but in reality there is so much in your internal network that can get compromized, that you need anyway on every vm/computer/nas/inter vlan routing switch/ basically everything that can do networking, iptables or any sort of simple firewall / ACL / 802.11x / AD-DC FW / etc, to be halfway save against internal intruders.

Additionally to that, there is from time to time qemu escape vulnerabilities, where you can't even do much against and for sure there are still some that aren't reported simply.
So the issue i have here is anyway, if a hacker gets inside an VM, it doesn't matter anyway, what you do from here on, or how you close up your internal network, it will be simply too late.
Im not saying you shouldn't try to make everything secure as possible, especially in a company, you should absolutely.
Thats why i don't see the PVE-Firewall that important, sure its nice to have tho. Simply as an additional layer.

Just i would prefer that the team puts their effort into really import things, like the Hypervisor functios.

For example, if we have the option to decide between fixing Numa that a windows 2019 vm doesn't run at 100%/crashes, or implementing a more usefull Firewall.
Or provide and maintain an optimized kernel that is compiled with flags to support more modern hardware, like x86-64-v4 that runs simply faster and more usefull pve Firewall...
Or simply create through the GUI more usefull ZFS Raid Arrays, where you can do stripes of z1/2/3/mirrors, or add the support for another cluster fs, or add QAT acceleration support for ZFS, or add zfs features webpage, OR add support to migrate a VM/Container through the gui to another Node in the Cluster, where the destination FS has a different name....

Thats just what camed into my mind in 2 seconds while writing this, that i would prefer over a nicer Firewall GUI.

Cheers
 
we dont use it at all.
we deploy nftables with ansible
I do the same. nftables on the proxmox host. nftables on all linux machines. And my windows vms use the windows firewall because its there. Then there is the router firewall that I use for routing between vlans. Plus, with my kvm connected to the proxmox host, I can login to the cli/console and revert any changes that I did that locked me out.
 
I am very interested to know what other people think about it
We use security groups excessively and are very happy with it. I always miss this option in other big players like VMware and it's hard to archieve the same level of security with pfsense or any other VM-based firewall and the overhead of doing so is huge. At least in our setups, VM-based firewalling is always done in PVE and we only have a "real" firewall to external networks.

We have a simple setup which is named dmz that already has all the rules for minimal access to ntp, dns and package mirrors for updates and everything else is blocked per default (ingress and egress). This gets attached to each VM (as the last rule) so that we have a virtual dmz around EVERY VM. Yes setting up was a longer process and your have to check a lot of places to really enable the firewall correctly per VM. We also have an automation that checks for a VM if the firewall was correctly enabled by trying to reach a service that should NOT be reachable with an enabled dmz security group. This is also monitored, so that we can detect simple configuration errors of our basic security layer. We then have additional security groups for different server setups like answering HTTP/HTTPs, Mail or Samba. We even have NFS server security groups with hardwired nfs server ports that are also checked and corrected by automation.

As others said, I also think that VM firewalls from the hypervisor are a really good tool to cage VMs, yet they're not perfect.
You have to manually setup things like
  • VM can only use the IP that was configured for them (so no ip-change in the VM)
  • VM can only use the MAC that was given and everything is dropped
  • setting up a router VM with multiple NICs and firewalling them is a real PITA, yet doable
So in the end, I could configure what I wanted, yet some things (like the last point) took a lot of time.
 
  • Like
Reactions: AxelTwin and Dunuin
We also have an automation that checks for a VM if the firewall was correctly enabled by trying to reach a service that should NOT be reachable with an enabled dmz security group.
Thats a great idea. Will try that too.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!