Firewall log levels

H

hac3ru

Well-Known Member
Mar 6, 2021
61
2
48
34
Hello,

I have enabled the firewall at the DC, Host and VM level. Then, I've set the default policy on the VM to Drop, both in and outgoing traffic. With loglevel set to debug and no rules, nothing goes through and the traffic is logged.
Now, from the datacenter level, I created some security groups, that I'm planning to use here. So here comes the question: what loglevel should I set at the security group level, on a per rule basis, to make it log?
The problem I have: right now, I have an IP set formed by all the private IPs, because I want to drop all traffic to private IPs and only allow this machine to reach the internet. The drop rules are set to debug. VM Firewall loglevel is set to debug. From my point of view, this should log at least something, but nothing shows up in the logs so, how are the VM Firewall Loglevel and Security Groups Rules loglevel play together?

P.S. the rules work as designed, the only thing not working is the logging.

Thank you!
 
Last edited:
Any log level should work, and your current setup should log output as well. Have you confirmed that the traffic is actually arriving at the VM via e.g. tcpdump on the host? Are you checking the Logs at the Datacenter level or at the VM level? VM logs are shown separately.

Otherwise, can you post your firewall configuration?

Code: 
cat /etc/pve/firewall/cluster.fw
cat /etc/pve/firewall/<vmid>.fw
qm config <vmid>
 
Hey @shanreich, found out what's actually going on.
Logging seems to work, but it's on the host that's hosting the VM. So, the scenario:
1. Create a VM
2. Turn the firewall on
3. Assign a security group that has at least one rule with logging enabled (debug was used here)

I would expect the logs to turn on the VM itself, under VM -> Firewall -> Logs. They don't, but they do appear under Proxmox Host hosting the VM -> Firewall -> Logs.

Any way to change that? After all, the firewall rules are applied to the traffic the VM receives, not the PVE host itself.

If needed, yes, I can also post the firewall configs - will need to do some sanitation since there's a lot of stuff in there so it takes time. Let me know if you need those and I'll get to it.
 
Is this forwarded traffic (routed by the Host - e.g. in a Simple Zone) or bridged traffic (a simple linux bridge)?
 
Looked into this a bit further, this behavior seems to be particular to security groups + VMs...

pve-firewall a chain for each security group and jumps into it from the guest chains. Inside the chain we use the ID for the host when generating the logs. That one's probably impossible to fix without regenerating the security group once for each guest - which would lead to a sizable difference in generated rules :/
 
While I do understand the headache, the current implementation is of little to no use. If one has multiple hosts, with tens/hundreds of VMs on each host, logs become impossible to read.
Maybe one way of doing this is to add a flag / something to the logfile and based on that, the logs would be saved in a different location, from where the VM Logs is reading from?
 
The problem is that the log statements get created directly from the iptables statement:
Code: 
-A GROUP-test_group-in-IN -p icmp -m limit --limit 1/sec -j NFLOG --nflog-prefix ":0:3:GROUP-test_group-in-IN: "

There's not really a way to parametrize that (that I know of), same goes for nflog-groups. With nftables it might be possible to do something with vmaps but I'd have to look further into it - to be quite honest.
 
Ok, different idea. Use something like alloy / loki to push the logs into and then show them in the VM logs based on the VM name / something?

I don't expect this to be up and running in a minute, I do realize it's going to take time and effort, I'm trying to come up with ideas to make that VM Logs usable.
 
You must log in or register to reply here.
Top Bottom
Back