Firewall help (should be fairly quick....)

LeeS

New Member
Mar 30, 2015
17
0
1
Proxmox 3.1 dist-upgraded over time to 3.4 (pve-manager/3.4-3/2fc72fee (running kernel: 2.6.32-37-pve)

I have finally taken the plunge with a free afternoon, and set up IP Sets, Security Groups, and Rules (in 'Datacenter' view). 2-host cluster, one simply a warm spare of the other. This will compliment the existing router and host-based firewalls, and primarily designed to keep any one compromised VM/CT from then being a launchpad to attack VM's.

But - I can't seem to get the firewall to enable?

VM/CT > 'Hardware/Network': Firewall ticked.
DC > Firewall > Options: Firewall enabled.

I have added each VM/CT as an IP Set (some have more than 1 IP, so this keeps them all together).
I have then added each VM/CT to a Security Group, referencing the IP Set. These then have rules within, e.g. 'allow SSH from management subnet'.
Finally, I add each Security Group to the Rules tab, and enable there as well.

Nothing seems to happen? I can disable the Rule or Security Group, and I can still access as before.

/etc/pve/firewall/cluster.fw shows enabled and all rules appear to be within. There's no errors in the logs that I can see. Just nothing happens.

What really obvious step am I missing here? (I have followed the Firewall Wiki to get to this point).

Thanks in advance.

UPDATE: Missed an 'Enable Firewall' option on the VM (boy, there's a lot of tick-boxes), but it also seems I have to add the Security Group to the VM 'Firewall Rules' Tab to get it to work. I thought the Datacenter Firewall Rules tab would apply globally? Perhaps I misunderstood this?).

UPDATE 2: Think this is mostly solved by my last update (and waiting 30 seconds for conn track to expire). Just curious what the Datacenter Rules view is for, if individual host rules still need to be added on each VM or CT. Maybe I just misunderstood its purpose! :)
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!