So far I've one PVE node with two NIC. One is LAN (enp7s0 / vmbr0) and one is DMZ (enp8s0 / vmbr1). I would like to prevent anything on the DMZ from accessing the PVE Web UI. Can I do this using the Datacenter firewall UI? I tried the following from the Web but it didn't work when testing from a VM on the DMZ network. Direction: In Action: Drop Interface: vmbr1 Source: 172.16.16.0/24 Destination: 172.16.16.55 (my PVE server) Surprisingly, I found that it did work if I switched on the individual node firewall, but I assume that wouldn't scale well if/when I graduate to a cluster. Thanks
This post explained that you have to enable the firewall on node(s) in order for the Datacenter rules to take effect. (sorry, new users not allowed to post links: Google for kiloroot secure proxmox firewall) Only thing I'm not sure about is why they advocate Datacenter –> Firewall Tab –> Options –> Input Policy: ACCEPT Followed by adding a DROP rule. Drop appears to be the default now for the Datacenter firewall.
