I'm trying to set some firewall rules at the guest level but they aren't being applied (see system information attached). This is what I have right now:
/etc/pve/firewall/cluster.fw:
In https://pve.proxmox.com/wiki/Firewall it says:
Host related configuration is read from: /etc/pve/nodes/<nodename>/host.fw
But I don't have that file on my system. I've set it to "Firewall: enabled" in the GUI for the node though, and left the rules section blank.
/etc/pve/firewall/102.fw:
pve-firewall status shows "Status: enabled/running"
pve-firewall compile shows "no changes"
I've enabled the firewall on the relevant VM network interface (net0)
I've rebooted all the VMs in question.
What am I doing wrong?
BTW if I portscan the host (which only has SSH open), ports are coming up as filtered. Guests on the host are not though.
===========================
EDIT: See attached screenshot. There seems to be no information about the relationship between the input/output policy settings in Firewall > Options (the help just says the are "input/output policies"), and putting an input/output policy in the guest's firewall rules. Yet if if change anything it appears to have no effect.
/etc/pve/firewall/cluster.fw:
Code:
[OPTIONS]
enable: 1
policy_in: DROP
[IPSET management] # Identifies the LAN
10.10.10.0/24
[RULES]
GROUP admin
[group admin] # Ports for various PVE admin things
IN SSH(ACCEPT)
IN ACCEPT -p tcp -dport 8006 # Proxmox web admin
IN ACCEPT -p tcp -dport 5900:5999 # VNC web console
IN ACCEPT -p tcp -dport 3128 # SPICE consoleIn https://pve.proxmox.com/wiki/Firewall it says:
Host related configuration is read from: /etc/pve/nodes/<nodename>/host.fw
But I don't have that file on my system. I've set it to "Firewall: enabled" in the GUI for the node though, and left the rules section blank.
/etc/pve/firewall/102.fw:
Code:
[OPTIONS]
enable: 1
macfilter: 0
[RULES]
IN ACCEPT -i net0 -p icmp
IN ACCEPT -i net0 -p ipv6-icmp
IN POP3S(ACCEPT) -i net0
IN IMAPS(ACCEPT) -i net0
IN SSH(ACCEPT) -i net0
IN Mail(ACCEPT) -i net0
IN DROP -i net0pve-firewall status shows "Status: enabled/running"
pve-firewall compile shows "no changes"
I've enabled the firewall on the relevant VM network interface (net0)
I've rebooted all the VMs in question.
Code:
proxmox-ve: 4.4-110 (running kernel: 4.4.35-1-pve)
pve-manager: 4.4-22 (running version: 4.4-22/2728f613)
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+2
libqb0: 1.0.1-1
pve-cluster: 4.0-54
qemu-server: 4.0-115
pve-firmware: 1.1-11
libpve-common-perl: 4.0-96
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.9.1-9~pve4
pve-container: 1.0-105
pve-firewall: 2.0-33
pve-ha-manager: 1.0-41
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80What am I doing wrong?
BTW if I portscan the host (which only has SSH open), ports are coming up as filtered. Guests on the host are not though.
===========================
EDIT: See attached screenshot. There seems to be no information about the relationship between the input/output policy settings in Firewall > Options (the help just says the are "input/output policies"), and putting an input/output policy in the guest's firewall rules. Yet if if change anything it appears to have no effect.
Attachments
Last edited: