Firewall limit Web UI access

Peso

New Member
Jan 5, 2019
2
0
1
So far I've one PVE node with two NIC. One is LAN (enp7s0 / vmbr0) and one is DMZ (enp8s0 / vmbr1). I would like to prevent anything on the DMZ from accessing the PVE Web UI.

Can I do this using the Datacenter firewall UI? I tried the following from the Web but it didn't work when testing from a VM on the DMZ network.

Direction: In
Action: Drop
Interface: vmbr1
Source: 172.16.16.0/24
Destination: 172.16.16.55 (my PVE server)

Surprisingly, I found that it did work if I switched on the individual node firewall, but I assume that wouldn't scale well if/when I graduate to a cluster.

Thanks
 
This post explained that you have to enable the firewall on node(s) in order for the Datacenter rules to take effect.

(sorry, new users not allowed to post links: Google for kiloroot secure proxmox firewall)

Only thing I'm not sure about is why they advocate
Datacenter –> Firewall Tab –> Options –> Input Policy: ACCEPT
Followed by adding a DROP rule. Drop appears to be the default now for the Datacenter firewall.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!