Firewall not working as Expected

[rackdie]

Of course, in that case only outgoing (relative to VM) traffic is filtered, incomming is still allowed.

From where to where with which rules applied?
Again, if you have outgoing traffic dropped, then services from the outside can still make an incomming (relative to your VM) connection. If you drop also incommig connections, then services from the outside will not be able to connect to your VM.

As expected

Because the traffic from within the VM to itself does not necessarily go through the filters as you might expect. Is there a reason you don't want this?

Yes i dont want anyone to access port 25 within the VM too because i dont want my clients to send spam from the VM. I wanna allow the incoming connections ofc to receive mails but dont want anyone to send out mails.
If my client can access port 25 from VM he can send out spam too which is what i dont want at all
Secondly for eg if mail2web is able to make connection to my VM how can it even send out the mail when outgoing is blocked?

For testing I sent a mail from my IMAP email address to my random gmail address and it went through which is what I dont want at all

My outgoing traffic rules are
DROP MAIL
DROP tcp OUTGOING 25
DROP tcp OUTGOING 26
DROP tcp OUTGOING AND INCOMING 465
DROP tcp OUTGOING AND INCOMING 587

 

[rackdie]

Because the traffic from within the VM to itself does not necessarily go through the filters as you might expect. Is there a reason you don't want this?

No, I have other firewall rules where ports are blocked and they work as expected. They dont work in VM too as it should be. Its only the SMTP Ports thats causing issues
I also tried to disable these ports from my VM built in firewall but it still lets me connect to it
I also tried to block incoming which works as expected when i send a mail to one of my emails in my mailserver, i do not receive that email which means it works fine but i can still connect to SMTP port 25 in the vm when in and out both are blocked.
I will really appreciate your help regarding this

 

[Chris]

In a quick test on my side SMTP ports are filtered as expected, so the firewall does what it should.

but i can still connect to SMTP port 25 in the vm when in and out both are blocked.

How do you connect to the service in that case? Via localhost or via public/local IP? Traffic to the VM itself via localhost will not be filtered, as stated.

Please post the output of cat /etc/pve/firewall/cluster.fw and cat /etc/pve/firewall/<VMID>.fw replacing <VMID> with the corresponding VM ID.

 

[rackdie]

In a quick test on my side SMTP ports are filtered as expected, so the firewall does what it should.

but i want it to act within the VM too. all other ports which I have blocked also dont work within the VM. its only the SMTP ports causing issues.
The firewall is of no use then if its not acting within the VM, client can send spam from his VM which is not what i want at all

How do you connect to the service in that case? Via localhost or via public/local IP? Traffic to the VM itself via localhost will not be filtered, as stated.

I use remote desktop to connect to the service using the IP allocated to the VM

Please post the output of cat /etc/pve/firewall/cluster.fw and cat /etc/pve/firewall/<VMID>.fw replacing <VMID> with the corresponding VM ID.

OUTPUT FOR cat /etc/pve/firewall/cluster.fw

enable: 1
policy_out: ACCEPT

[RULES]

OUT DROP -i vmbr0 -p tcp -dport 25 -log nolog
OUT DROP -i vmbr0 -p tcp -dport 26 -log nolog
OUT DROP -i vmbr0 -p tcp -dport 2525 -log nolog
OUT DROP -i vmbr0 -p tcp -dport 587 -log nolog
OUT DROP -i vmbr0 -p tcp -dport 465 -log nolog
IN SSH(ACCEPT) -log nolog
IN ACCEPT -i vmbr0 -p icmp -log nolog
IN ACCEPT -i vmbr0 -p tcp -dport 4085 -log nolog
IN ACCEPT -i vmbr0 -p tcp -dport 4084 -log nolog
IN ACCEPT -i vmbr0 -p tcp -dport 4083 -log nolog
IN ACCEPT -i vmbr0 -p tcp -dport 4082 -log nolog
IN ACCEPT -i vmbr0 -p tcp -dport 4081 -log nolog
IN ACCEPT -i vmbr0 -p tcp -dport 8006 -log nolog

[group firewallrules]

OUT DROP -p tcp -dport 25 -log nolog
OUT DROP -p tcp -dport 587 -log nolog
OUT DROP -p tcp -dport 2525 -log nolog
OUT DROP -p tcp -dport 465 -log nolog
OUT DROP -p tcp -dport 26 -log nolog
OUT Mail(DROP) -log nolog
IN DROP -p tcp -dport 2525 -log nolog
IN ACCEPT -p tcp -dport 443 -log nolog
IN ACCEPT -p tcp -dport 80 -log nolog
IN ACCEPT -p tcp -dport 143 -log nolog
IN ACCEPT -p tcp -dport 25 -log nolog
IN IMAP(ACCEPT) -log nolog
IN MySQL(ACCEPT) -log nolog
IN ACCEPT -p tcp -dport 3389 -log nolog

OUTPUT FOR VMID

ipfilter: 0
enable: 1
policy_out: ACCEPT

[RULES]

GROUP firewallrules -i net0

P.S firewall rules is the security group which also has port 25 outgoing dropped and incoming accept

 

[fabian]

sorry, but the firewall on the hypervisor level cannot interfere with traffic that is never leaving the VM (the host doesn't even get to see those packets!). you need to install/configure a firewall inside the VM if you want to disallow such traffic (or set up your MTA in the VM to reject the messages).

very likely you aren't testing what you think you are testing if you see other intra-VM traffic being affected by the PVE firewall

 

[rackdie]

sorry, but the firewall on the hypervisor level cannot interfere with traffic that is never leaving the VM (the host doesn't even get to see those packets!). you need to install/configure a firewall inside the VM if you want to disallow such traffic (or set up your MTA in the VM to reject the messages).

very likely you aren't testing what you think you are testing if you see other intra-VM traffic being affected by the PVE firewall

i can send emails which means the traffic is leaving the VM but isnt being blocked by proxmox/
Further help will be appreciated

 

[Chris]

Maybe you can describe in more detail, step by step what you are doing and maybe provide the exact commands you are running. Because with the firewall rules you posted, there should be no outgoing traffic for the configured ports.

Edit: Further you can check with tcpdump -i <interface> tcp port 25 for traffic on port 25 of the given <interface> to furter debug this.

 

[rackdie]

Maybe you can describe in more detail, step by step what you are doing and maybe provide the exact commands you are running. Because with the firewall rules you posted, there should be no outgoing traffic for the configured ports.

Ok so my clients wanna receive mails only on their mail servers. Their mail servers are configured on port 25 for incoming and outgoing
Since my clients don't want the mail server outgoing, i blocked as i showed in firewall rules. If i telnet from any other Machine to their server it shows as connection failed as expected
But if i telnet into port 25 from same vm with mail server i can telnet into it and send mails which can be abused alot. This happens only to smtp ports only and other outgoing blocked ports work as expected even if they aren't disabled from windows firewall within machine. I have also tried to block port 25 outgoing from windows firewall and all but all in vain. Maybe is there any other method you can suggest to try?

 

[Chris]

Ok so my clients wanna receive mails only on their mail servers. Their mail servers are configured on port 25 for incoming and outgoing
Since my clients don't want the mail server outgoing, i blocked as i showed in firewall rules. If i telnet from any other Machine to their server it shows as connection failed as expected

Yes, this you already established.

But if i telnet into port 25 from same vm with mail server i can telnet into it and send mails which can be abused alot.

If outgoing ports are blocked, than sending emails to other mail servers should not be possible, regardless of whether you can connect to port 25 via telnet from within the VM or not. This has nothing to do with establishing a connection from within the VM.

Please verify that the traffic is truly leaving using tcpdump as suggested.

Maybe is there any other method you can suggest to try?

You can try to setup rules for sending mails in your MTA which disallow sending mails or use dedicated software such as Proxmox Mail Gateway, which is designed to achieve this, see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html

 

[rackdie]

Yes, this you already established.

If outgoing ports are blocked, than sending emails to other mail servers should not be possible, regardless of whether you can connect to port 25 via telnet from within the VM or not. This has nothing to do with establishing a connection from within the VM.

Please verify that the traffic is truly leaving using tcpdump as suggested.


You can try to setup rules for sending mails in your MTA which disallow sending mails or use dedicated software such as Proxmox Mail Gateway, which is designed to achieve this, see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html

Yes i checked and it goes through port 25 outgoing
I tried to change the all outgoing traffic to DROP and then i wasnt able to connect or telnet to port 25 from VM which is what i wanted but the problem is that i wasnt able to access any website etc too then. Is there any universal port to allow surfing all of the internet and access applications and all that stuff?

 

[Chris]

Yes i checked and it goes through port 25 outgoing
I tried to change the all outgoing traffic to DROP and then i wasnt able to connect or telnet to port 25 from VM which is what i wanted but the problem is that i wasnt able to access any website etc too then. Is there any universal port to allow surfing all of the internet and access applications and all that stuff?

For surfing only http and https are required, so ports 80 and 443, both outgoing must be allowed.

 

[rackdie]

For surfing only http and https are required, so ports 80 and 443, both outgoing must be allowed.

already tried but sadly it doesnt work. I am not able to connect to websites or open any applications. It gives me no internet error
If dropping outgoing blocks smtp then is there any port that needs to be blocked on proxmox to avoid outgoing port 25?