Proxmox 3.1 dist-upgraded over time to 3.4 (pve-manager/3.4-3/2fc72fee (running kernel: 2.6.32-37-pve)
I have finally taken the plunge with a free afternoon, and set up IP Sets, Security Groups, and Rules (in 'Datacenter' view). 2-host cluster, one simply a warm spare of the other. This will compliment the existing router and host-based firewalls, and primarily designed to keep any one compromised VM/CT from then being a launchpad to attack VM's.
But - I can't seem to get the firewall to enable?
VM/CT > 'Hardware/Network': Firewall ticked.
DC > Firewall > Options: Firewall enabled.
I have added each VM/CT as an IP Set (some have more than 1 IP, so this keeps them all together).
I have then added each VM/CT to a Security Group, referencing the IP Set. These then have rules within, e.g. 'allow SSH from management subnet'.
Finally, I add each Security Group to the Rules tab, and enable there as well.
Nothing seems to happen? I can disable the Rule or Security Group, and I can still access as before.
/etc/pve/firewall/cluster.fw shows enabled and all rules appear to be within. There's no errors in the logs that I can see. Just nothing happens.
What really obvious step am I missing here? (I have followed the Firewall Wiki to get to this point).
Thanks in advance.
UPDATE: Missed an 'Enable Firewall' option on the VM (boy, there's a lot of tick-boxes), but it also seems I have to add the Security Group to the VM 'Firewall Rules' Tab to get it to work. I thought the Datacenter Firewall Rules tab would apply globally? Perhaps I misunderstood this?).
UPDATE 2: Think this is mostly solved by my last update (and waiting 30 seconds for conn track to expire). Just curious what the Datacenter Rules view is for, if individual host rules still need to be added on each VM or CT. Maybe I just misunderstood its purpose!
I have finally taken the plunge with a free afternoon, and set up IP Sets, Security Groups, and Rules (in 'Datacenter' view). 2-host cluster, one simply a warm spare of the other. This will compliment the existing router and host-based firewalls, and primarily designed to keep any one compromised VM/CT from then being a launchpad to attack VM's.
But - I can't seem to get the firewall to enable?
VM/CT > 'Hardware/Network': Firewall ticked.
DC > Firewall > Options: Firewall enabled.
I have added each VM/CT as an IP Set (some have more than 1 IP, so this keeps them all together).
I have then added each VM/CT to a Security Group, referencing the IP Set. These then have rules within, e.g. 'allow SSH from management subnet'.
Finally, I add each Security Group to the Rules tab, and enable there as well.
Nothing seems to happen? I can disable the Rule or Security Group, and I can still access as before.
/etc/pve/firewall/cluster.fw shows enabled and all rules appear to be within. There's no errors in the logs that I can see. Just nothing happens.
What really obvious step am I missing here? (I have followed the Firewall Wiki to get to this point).
Thanks in advance.
UPDATE: Missed an 'Enable Firewall' option on the VM (boy, there's a lot of tick-boxes), but it also seems I have to add the Security Group to the VM 'Firewall Rules' Tab to get it to work. I thought the Datacenter Firewall Rules tab would apply globally? Perhaps I misunderstood this?).
UPDATE 2: Think this is mostly solved by my last update (and waiting 30 seconds for conn track to expire). Just curious what the Datacenter Rules view is for, if individual host rules still need to be added on each VM or CT. Maybe I just misunderstood its purpose!
Last edited: