[SOLVED] Firewall not blocking on vm level

C

crazywolf13

New Member
Oct 15, 2023
29
3
3
Hi I just wanted to set up firewalls like showcased in many of the youtube videos.

Added the following datacenter rules:1711709513872.png

Enabled firewall on datacenter, node and vm.


When experimenting on datacenter level traffic to the nodes can be controlled and for example ssh is currently off, this can be tested and verified.

However I can still ping my vms, lxcs access them via ssh and connect to their webserver -> But I expect the default drop all incoming to disabled this.

Nontheless I created a block all incoming directly on the container:
1711709707451.png
1711709697109.png
I can still ping and access the vm normally, without any problems.


What do I need to do to get this firewall to block traffic on vm/lxc level??
 
Hello everyone,
I have a similar question regarding my firewall (FW) configuration. I have enabled the FW, and it seems to be working, but not as expected.
Here's the situation:
  • I have disabled outgoing ICMP.
  • I start a ping (ping 1) to 8.8.8.8.
  • I enable the FW.
  • Ping 1 continues to work.
  • I start a new ping (ping 2) to 8.8.8.8, but it gets dropped/rejected.
  • I disable the FW.
  • Ping 1 was already working.
  • Ping 2 starts working as well.
Is this the typical behavior of FW rules, or am I doing something wrong?
I have two malware analysis machines and want to stop all network traffic from a host when I enable the FW rule, then allow traffic once the FW rule is disabled.
Additionally, can I set up a separate SD?
Thank you for your help!
 
This is most likely due to conntrack. Since you established the connection beforehand there is a conntrack table entry that allows the first connection. You could flush the conntrack table, but be aware that this affects ALL established connections on the host / guest.
 
In order to have firewall at all, you need to have or simulate "state" (via connection tracking).

Say, you have a general "drop-all" rule. This would block all traffic from outside, even if you had a rule allowing outbound traffic, UNLESS you can discriminate between packets that are new versus packets that are just the answer to allowed outside traffic. The latter are in an "established state".

In your example, you had an established connection (ping 1), thus all answer packets still got through.
 
Hello Everyone new to Proxmox and opnsense world! However I successfully installed proxmox and opnsense but zenarmour not blocking applications selected in policy . Using the attched network settgins for opnsense in proxmox any guidance and help appreciated .
Can access opnsense interface from machine outside VM enviroment as see traffic sessions in zenarmour as well. But its not blocking anything
 

Attachments

  • zenarmor interface scan.jpg
    zenarmor interface scan.jpg
    53.1 KB · Views: 2
  • opnsensee-policy.jpg
    opnsensee-policy.jpg
    44.9 KB · Views: 2
  • opnsensee-1.jpg
    opnsensee-1.jpg
    157.1 KB · Views: 2
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom