Firewall management

[VGR]

Hi everybody.
Say, we have many VM in 10.42.x.y
One is on 10.42.a.b
Host is on 10.42.1.z and gateway is on 10.42.0.254

We need to reject all traffic from/to 10.42.a.b to/from 10.42.0.0/16 BUT accept all traffic from/to 10.42.a.b to/from 10.42.0.254

Say the rule in plain english,

1. Reject all traffic from 10.42.a.b to 10.42.0.0/16 except to 10.42.0.254
2. Reject all traffic from 10.42.0.0/16 except from 10.42.0.254 to 10.42.a.b
3. Accept all traffic from elsewhere to 10.42.a.b
4. Accept all traffic to elsewhere from 10.42.a.b

We cannot manage the way to write the correct rules ;(

 

[Dominic]

Hi!

You can set the firewall rules for your virtual machines on your PVE host either in the GUI (VM->Firewall->Add) or in the file `/etc/pve/firewall/vmId.fw`.

The following code is an example for this file that I've just created and tested. You can adapt it to your needs. It is for a VM with IP 192.168.25.129.

The VMs 192.168.25.144 to 192.168.25.146 (= your 10.42.x.y) can not ping or be pinged from 192.168.25.129 except to/from 192.168.25.145 (= your 10.42.0.254). Other machines can ping and be pinged from 192.168.25.145.

[OPTIONS]

enable: 1

[RULES]

IN ACCEPT -source 192.168.25.145
IN REJECT -source 192.168.25.144-192.168.25.146
IN ACCEPT
OUT ACCEPT -dest 192.168.25.145
OUT REJECT -dest 192.168.25.144-192.168.25.146
OUT ACCEPT

What is important in addition is that you follow the hints in our documentation. You especially have to enable the firewall on Datacenter level, for your VM and for your network interface device.