firewall question & help

V

vesuvienne

Member
Jun 7, 2024
82
3
8
hi team!
some question and observation about firewall:

* if i need to allow "any source" do i need to let the "source" blank in the firewall GUI

* do the Datacenter firewall work only if you are in a cluster?

* i have some strange behavior about the order of the rules with the firewall of VM (i don't know if it is normal)
- if i put some rule at the end (exemple ssh) i can't ssh into the vm
- if i change the order and put it at first it work
so i think order have a effect no? if someone can give me some advice
thx!
 
Last edited:
vesuvienne said:
* if i need to allow "any source" do i need to let the "source" blank in the firewall GUI
Click to expand...
Yes

vesuvienne said:
* do the Datacenter firewall work only if you are in a cluster?
Click to expand...
No, it should also work if you have a singular node, when you add additional nodes they also get the same rules applied

vesuvienne said:
so i think order have a effect no? if someone can give me some advice
Click to expand...
Yes, rules are evaluated in order (from top to bottom), the first matching rule 'wins'
 
shanreich said:
Yes, rules are evaluated in order (from top to bottom), the first matching rule 'wins'
Click to expand...
thx, so DROP should always be at the bottom?
shanreich said:
No, it should also work if you have a singular node, when you add additional nodes they also get the same rules applied
Click to expand...
so i have a single node, without cluster
i add this rules under datacenter -> firewall
1721637535372.png
but it locked me out, can not access my GUI or SSH into my node

* if i put this rules directly on my PVE node it work, any clue ?
thx
 
Last edited:
vesuvienne said:
thx, so DROP should always be at the bottom?
Click to expand...
You can set the default policy in the datacenter settings, so it is not necessary to explicitly add it as a rule at the bototm

vesuvienne said:
but it locked me out, can not access mt GUI or SSH into my node
Click to expand...
do you have any rules in the host firewall? host rules come before datacenter rules
 
shanreich said:
You can set the default policy in the datacenter settings, so it is not necessary to explicitly add it as a rule at the bototm
Click to expand...
If i remember, the default datacenter firewall policy DROP everything & ACCEPT by default SSH(22) and GUI(8006)
shanreich said:
do you have any rules in the host firewall? host rules come before datacenter rules
Click to expand...
oh!!! Thx i understand now, Yeah i put DROP on my PVE node
So i need to choose between using PVE firewall or Datacenter firewall
 
vesuvienne said:
So i need to choose between using PVE firewall or Datacenter firewall
Click to expand...
You can use both at the same time. Datacenter is for creating rules on EVERY node, host firewall is for creating or overriding rules on a specific node. Just don't add a blanket drop statement in any ruleset - you can do that via setting the default in/out policy.
 
  • Like
Reactions: vesuvienne
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back