Firewall flag function

[Snel]

Hi,

We are configuring firewall for a couple VM's. After enabling the firewall for each VM, it must be rebooted (cold) .

We want now to enable the firewall option in hardware>network device for all VM's. And then disable the firewall in Firewall>options enable flag by default.

1. The question now is what does this enable flag in Firewall>options do exactly?

2. Will this solution have a negative impact on our nf_conntrack table. Will all the VM's effect the nf_conntrack table?

Or will the nf_conntrack table be effected only by the vm's by which the enable flag in Firewall>options is turned on.

 

[Richard]

1. The question now is what does this enable flag in Firewall>options do exactly

• Enable / Disable at Datacenter level: Specifies if any firewall settings (in the whole cluster) are in effect at all
• Enable / Disable at Host level: Specifies if firewall settings for traffic where the source or destination is host are in effect
• Enable /Disable at VM / CT level: Specifies if the firewall rules defined for that host are in effect at the interfaces marked with firewall

​

See also https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html

 

[yavuz]

Just for my understanding, which of these impact the connection tracking tables?

Enable at Datacenter level
Enable at Host level
Enable at VM / CT level
Adding actual rules

 

[spirit]

>>2. Will this solution have a negative impact on our nf_conntrack table. Will all the VM's effect the nf_conntrack table?
>Or will the nf_conntrack table be effected only by the vm's by which the enable flag in Firewall>options is turned on.

I think that all connections are going to the conntrack (but allowed by default if vm don't have any firewall).
as workaround, I think it's possible to manually add in PREROUTING table
-A PREROUTING -i tap.... -j NOTRACK