Firewall questions

[dpearceFL]

Proxmox 8.1.3 - So we have a firewall at the Datacenter, Node and VM level. I want to add a rule so that all VMs cannot access a computer (not on Proxmox) on a specific IP addresses. Do I need to add the DROP rule on each VM or can I put one DROP rule at the Node level?

On a firewall rule, if I leave the "Interface" or "Protocol" fields blank, does that mean all interfaces or all protocols apply? Or is this an invalid rule?

So does a rule at the DC level apply to each node in a cluster? Does it apply to the VMs in the cluster?

Thanks.

 

[dpearceFL]

Some thing have learned:

• At the DC level, and options, make sure Input and Output policies are both set to ACCEPT. Otherwise when you enable the firewall at the DC level, you will get locked out of the GUI. (I think)
• At the DC level enable the firewall, otherwise none of the firewall rules apply.
• If you add a rule at the DC level, it does not apply to the VM.
• If you disable the firewall at the node level, the firewall at the VM level still works.
• At the node level - I have not seem where that firewall comes into play.
• When writing a rule through the GUI, a blank entry in protocol, macro, interface means no limits. i.e. allow all protocols.
• If you start a ping then add a rule to block the pings, because ping has already established a connect, the ping will continue to work. But if you do something like this you get immediate feedback.

 while true
 do
  ping -c 1 -W 1 x.x.x.18 | grep "loss"
  sleep 1
 done