Hello Proxmox Community,
I'm working on implementing a comprehensive security solution for my Proxmox VE 9 environment that combines the native Proxmox firewall with CrowdSec's collaborative threat intelligence. I'd like to share my planned architecture and gather feedback from experienced users.
Advantages:
Advantages:
System Specs:
I'm working on implementing a comprehensive security solution for my Proxmox VE 9 environment that combines the native Proxmox firewall with CrowdSec's collaborative threat intelligence. I'd like to share my planned architecture and gather feedback from experienced users.
Current Environment
- Proxmox VE 9 (nftables-based native firewall enabled)
- Multiple LXC containers and VMs running various services
- Currently using nftables for custom firewall rules
Project Goals
My objective is to create a layered security approach where:- Proxmox native firewall handles traditional perimeter defense with stateful packet filtering, network isolation, and micro-segmentation between VMs/containers
- CrowdSec provides behavioral analysis, collaborative threat intelligence, and automated blocking of malicious actors
Proposed Architecture
Option A: CrowdSec on Proxmox Host
Install CrowdSec directly on the Proxmox host with the nftables bouncer, creating a centralized LAPI server that protects the hypervisor and all VMs/containers at the network level. Deploy lightweight CrowdSec agents on individual LXC/VMs to parse local logs (Apache, SSH, etc.) and report suspicious IPs back to the central LAPI.Advantages:
- Centralized management and dashboard
- Single point for bouncer rules (blocks at hypervisor level)
- Protects Proxmox infrastructure itself
- Minimal overhead on guest systems
- Potential impact on host stability
- Integration complexity with Proxmox datacenter firewall
Option B: Dedicated LXC Container
Create a privileged LXC container specifically for CrowdSec with the nftables bouncer, then configure agent-only installations on other containers/VMs that report to this central instance.Advantages:
- Isolation from host system
- Easier backup/restore and migration
- Can leverage Proxmox Helper-Scripts for simplified deployment
- How to effectively integrate bouncer rules with Proxmox firewall at datacenter level?
- Network topology considerations for agent-to-LAPI communication
Technical Questions
- nftables Integration: Since Proxmox 9 uses the new proxmox-firewall service exclusively with nftables, how can I ensure CrowdSec's nftables bouncer doesn't conflict with Proxmox's managed tables? My understanding is that CrowdSec creates separate crowdsec and crowdsec6 tables with priority -10, but I'd appreciate confirmation from anyone running this setup.
- Datacenter Firewall Integration: Is there a way to integrate CrowdSec decisions with the Proxmox datacenter firewall so blocked IPs are reflected across all VMs/containers automatically? The Proxmox API supports IP sets - could this be leveraged?
- Performance Impact: For those running CrowdSec on Proxmox hosts, have you noticed any performance degradation, especially with the bouncer actively updating nftables rules?
- Log Collection: What's the recommended approach for collecting logs from multiple LXC/VMs to the central CrowdSec instance? NFS share, rsyslog forwarding, or agent-based collection?
Expected Benefits
- Collaborative defense: Automatic protection against IPs flagged by the global CrowdSec community
- Behavioral detection: Identify brute force, port scans, and exploitation attempts that static firewall rules might miss
- Reduced manual intervention: Automated blocking and unblocking based on threat intelligence
- Centralized visibility: Single dashboard for security events across the entire infrastructure
Implementation Plan
- Test deployment in LXC container on isolated VLAN
- Configure nftables bouncer and verify no conflicts with proxmox-firewall
- Install agents on test VMs and validate log parsing
- Monitor performance and rule propagation
- Gradually expand to production systems
- Best practices for CrowdSec placement (host vs. container)
- Integration strategies with Proxmox native firewall
- Common pitfalls to avoid
- Performance tuning recommendations
System Specs:
- Proxmox VE 9.x
- nftables enabled
- Mix of LXC containers and KVM VMs