Firewall flag function

Discussion in 'Proxmox VE: Networking and Firewall' started by Snel, Nov 28, 2018.

  1. Snel

    Snel New Member

    Joined:
    Nov 28, 2018
    Messages:
    1
    Likes Received:
    0
    Hi,

    We are configuring firewall for a couple VM's. After enabling the firewall for each VM, it must be rebooted (cold) .

    We want now to enable the firewall option in hardware>network device for all VM's. And then disable the firewall in Firewall>options enable flag by default.

    1. The question now is what does this enable flag in Firewall>options do exactly?

    2. Will this solution have a negative impact on our nf_conntrack table. Will all the VM's effect the nf_conntrack table?

    Or will the nf_conntrack table be effected only by the vm's by which the enable flag in Firewall>options is turned on.
     
  2. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    473
    Likes Received:
    13
    • Enable / Disable at Datacenter level: Specifies if any firewall settings (in the whole cluster) are in effect at all
    • Enable / Disable at Host level: Specifies if firewall settings for traffic where the source or destination is host are in effect
    • Enable /Disable at VM / CT level: Specifies if the firewall rules defined for that host are in effect at the interfaces marked with firewall

    See also https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. yavuz

    yavuz New Member

    Joined:
    Jun 22, 2014
    Messages:
    21
    Likes Received:
    0
    Just for my understanding, which of these impact the connection tracking tables?

    Enable at Datacenter level
    Enable at Host level
    Enable at VM / CT level
    Adding actual rules
     
  4. spirit

    spirit Well-Known Member
    Proxmox VE Subscriber

    Joined:
    Apr 2, 2010
    Messages:
    3,196
    Likes Received:
    110
    >>2. Will this solution have a negative impact on our nf_conntrack table. Will all the VM's effect the nf_conntrack table?
    >Or will the nf_conntrack table be effected only by the vm's by which the enable flag in Firewall>options is turned on.

    I think that all connections are going to the conntrack (but allowed by default if vm don't have any firewall).
    as workaround, I think it's possible to manually add in PREROUTING table
    -A PREROUTING -i tap.... -j NOTRACK
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice