Firewall limit Web UI access

Peso

New Member
Jan 5, 2019
2
0
1
So far I've one PVE node with two NIC. One is LAN (enp7s0 / vmbr0) and one is DMZ (enp8s0 / vmbr1). I would like to prevent anything on the DMZ from accessing the PVE Web UI.

Can I do this using the Datacenter firewall UI? I tried the following from the Web but it didn't work when testing from a VM on the DMZ network.

Direction: In
Action: Drop
Interface: vmbr1
Source: 172.16.16.0/24
Destination: 172.16.16.55 (my PVE server)

Surprisingly, I found that it did work if I switched on the individual node firewall, but I assume that wouldn't scale well if/when I graduate to a cluster.

Thanks
 
This post explained that you have to enable the firewall on node(s) in order for the Datacenter rules to take effect.

(sorry, new users not allowed to post links: Google for kiloroot secure proxmox firewall)

Only thing I'm not sure about is why they advocate
Datacenter –> Firewall Tab –> Options –> Input Policy: ACCEPT
Followed by adding a DROP rule. Drop appears to be the default now for the Datacenter firewall.