Firewall in Cluster

[Ashley]

Currently:

DC Level :Firewall disabled (default)
Node Level : Firewall enabled (default)

Questions:

1/ With it disabled at DC Level will that also mean the firewall is automatically force ably disabled system wide?
2/ If I enabled firewall at DC level then the firewall will start to work at Node level and below when enabled
3/ I am using CEPH on my cluster (storage is on a separate network), do I need to do anything on the node FW to make sure it does not block the CEPH traffic? Or is the firewall only default active on the vmbr0 interface?

Thanks

 

[dietmar]

1/ With it disabled at DC Level will that also mean the firewall is automatically force ably disabled system wide?

Yes

2/ If I enabled firewall at DC level then the firewall will start to work at Node level and below when enabled

yes

3/ I am using CEPH on my cluster (storage is on a separate network), do I need to do anything on the node FW to make sure it does not block the CEPH traffic? Or is the firewall only default active on the vmbr0 interface?

There is a macro to enable ceph traffic.

 

[Ashley]

Yes



yes



There is a macro to enable ceph traffic.

Thanks, when you say a macro, is this fully automated within Proxmox code, nothing I need to enable before I enable the FW.

,Ashley

 

[dietmar]

is this fully automated within Proxmox code,

No.

 

[Ashley]

No.

Do you have a link to this "macro" within the WIKI/DOCS as I have had a look but can't see anything, or am I better just adding the CEPH port's required into the Firewall config manually?

 

[dietmar]

Do you have a link to this "macro" within the WIKI/DOCS as I have had a look but can't see anything, or am I better just adding the CEPH port's required into the Firewall config manually?

# man pve-firewall