Firewall for only one VM possible?

M

mailinglists

Renowned Member
Mar 14, 2012
641
69
93
Hi guys,

Is it possible to have firewall enabled only for one KVM VM and not for whole server?
Currently it seems it stops working, if I disable firewall on a global level (Datacenter).
 
Hi,

Yes you can do this.
Enable Firewall on Data-center level and set in Input and Output Policy to Accept.
Enable Firewall on Node level.
Firewall on VM vnic and configure your settings.
 
Thank you for your answer wolfgang.

However my question was, if firewall on Data-center can be disabled (it creates chains which I do not want or need, chains like: PVEFW-*) at the same time have it enabled just for VM (tap*i*-*).

And to answer myself, no it's _not_ possible because VM specific chains use global iptables chains. For example:
Code: 
root@p21:~# iptables -t filter -L tap102i0-OUT | grep PVEFW
PVEFW-SET-ACCEPT-MARK  udp  --  anywhere  anywhere  [goto]  udp spt:bootpc dpt:bootps
DROP  all  --  anywhere  anywhere  ! match-set PVEFW-102-ipfilter-net0-v4 src
PVEFW-Drop  all  --  anywhere  anywhere

But I can live with that. :-)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom