Firewall - what am I doing wrong?

I'm trying to set some firewall rules at the guest level but they aren't being applied (see system information attached). This is what I have right now:

/etc/pve/firewall/cluster.fw:

Code:
[OPTIONS]
enable: 1
policy_in: DROP
[IPSET management] # Identifies the LAN
10.10.10.0/24
[RULES]
GROUP admin
[group admin] # Ports for various PVE admin things
IN SSH(ACCEPT)
IN ACCEPT -p tcp -dport 8006 # Proxmox web admin
IN ACCEPT -p tcp -dport 5900:5999 # VNC web console
IN ACCEPT -p tcp -dport 3128 # SPICE console

In https://pve.proxmox.com/wiki/Firewall it says:

Host related configuration is read from: /etc/pve/nodes/<nodename>/host.fw

But I don't have that file on my system. I've set it to "Firewall: enabled" in the GUI for the node though, and left the rules section blank.

/etc/pve/firewall/102.fw:

Code:
[OPTIONS]
enable: 1
macfilter: 0
[RULES]
IN ACCEPT -i net0 -p icmp
IN ACCEPT -i net0 -p ipv6-icmp
IN POP3S(ACCEPT) -i net0
IN IMAPS(ACCEPT) -i net0
IN SSH(ACCEPT) -i net0
IN Mail(ACCEPT) -i net0
IN DROP -i net0

pve-firewall status shows "Status: enabled/running"

pve-firewall compile shows "no changes"

I've enabled the firewall on the relevant VM network interface (net0)

I've rebooted all the VMs in question.

Code:
proxmox-ve: 4.4-110 (running kernel: 4.4.35-1-pve)
pve-manager: 4.4-22 (running version: 4.4-22/2728f613)
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+2
libqb0: 1.0.1-1
pve-cluster: 4.0-54
qemu-server: 4.0-115
pve-firmware: 1.1-11
libpve-common-perl: 4.0-96
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.9.1-9~pve4
pve-container: 1.0-105
pve-firewall: 2.0-33
pve-ha-manager: 1.0-41
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80

What am I doing wrong?

BTW if I portscan the host (which only has SSH open), ports are coming up as filtered. Guests on the host are not though.

===========================

EDIT: See attached screenshot. There seems to be no information about the relationship between the input/output policy settings in Firewall > Options (the help just says the are "input/output policies"), and putting an input/output policy in the guest's firewall rules. Yet if if change anything it appears to have no effect.
 

Attachments

  • subscription-tab.txt
    37.6 KB · Views: 1
  • firewall-settings.png
    firewall-settings.png
    89.7 KB · Views: 3
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!