Firewall protection on Proxmox 3.0

2creatives

New Member
Aug 16, 2013
10
0
1
Hello,

I am looking for a good way to install a firewall on my new Proxmox 3.0 server.
I found a lot of links with howto's to install Shorewall, pfsense and other forewall scripts, but all of these howto's are based on Proxmox 2.x and do not provide me a good step-by-step installation example to to the trick.

Is there anyone how can give me a good step-by-step installation guide to get my Proxmox 3.0 server secured and ready to bring to the datacenter.

With kind regards,

Bas
 
I just have successfully installed and configures UFW (Uncomplicated Firewall) on my proxmox server.
Is seems that i am able to get my server secured, but there is just one more thing. I can create a KVM and it is able to bring up its own NIC in the virtual machine so that is great.

The problem is that OpenVZ containers don't have their own NIC so traffic is blocked by the firewall rules i set for the Proxmox node.
Does anyone know how to fix this? If i can get this to work i have the perfect solution for me.
 
# ufw deny from 192.168.0.100
# ufw allow from 192.168.0.101

My Proxmox server ip is 192.168.1.80

I created a OpenVZ container and assigner IP 192.168.1.55 to it via the interface.
Then i added the following rule:

# ufw allow from 192.168.1.55

Now, when i enable the firewall i can not ping the OpenVZ container on its ip ( 192.168.1.55) from my laptop in the same subnet.
When i disable the firewall i can ping and access the container.

This exactly my problem :-(
 
But can you access the container?
I expect ufw by default drops all ping ICMP requests but that does not automatically imply the container is down.
 
When i have enabled the firewall i can not access the container at all. if i disable the firewall it all works :-(

I only have this problem with OpenVZ containers. KVM's are working well.
 
( i get messages like: Aug 18 13:17:37 vps apf(7421): {glob} could not verify that interface eth0 is routed to a network, ab
orting. )

If you're using a bridged network configuration, then in your /etc/apf/conf.apf the interface should be like this:

IFACE_IN="vmbr0"
IFACE_OUT="vmbr0"

and not eth0.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!