Firewall limit Web UI access

Discussion in 'Proxmox VE: Networking and Firewall' started by Peso, Jan 5, 2019.

  1. Peso

    Peso New Member

    Joined:
    Jan 5, 2019
    Messages:
    2
    Likes Received:
    0
    So far I've one PVE node with two NIC. One is LAN (enp7s0 / vmbr0) and one is DMZ (enp8s0 / vmbr1). I would like to prevent anything on the DMZ from accessing the PVE Web UI.

    Can I do this using the Datacenter firewall UI? I tried the following from the Web but it didn't work when testing from a VM on the DMZ network.

    Direction: In
    Action: Drop
    Interface: vmbr1
    Source: 172.16.16.0/24
    Destination: 172.16.16.55 (my PVE server)

    Surprisingly, I found that it did work if I switched on the individual node firewall, but I assume that wouldn't scale well if/when I graduate to a cluster.

    Thanks
     
  2. Peso

    Peso New Member

    Joined:
    Jan 5, 2019
    Messages:
    2
    Likes Received:
    0
    This post explained that you have to enable the firewall on node(s) in order for the Datacenter rules to take effect.

    (sorry, new users not allowed to post links: Google for kiloroot secure proxmox firewall)

    Only thing I'm not sure about is why they advocate
    Datacenter –> Firewall Tab –> Options –> Input Policy: ACCEPT
    Followed by adding a DROP rule. Drop appears to be the default now for the Datacenter firewall.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice