Firewalling question - securing the management interfaces

breakaway9000

Active Member
Dec 20, 2015
71
9
28
Hello,

I've got a Proxmox server that I need to connect to the internet directly (it is a hosted dedicated server).

I then have a single IPv4 and IPv6 addresses provided by the hosting provider which will be assigned to this server. An additional IPv4 subnet and additional IPv6 subnets will be then routed through to this host to allow me to assign to the VMs.

I will run pfSense to manage this, however I am currently trying to figure out how to use the builtin firewall inside Proxmox to secure the management interface (i.e. the single iPv4 and IPv6 addresses) so that only trusted hosts may access the proxmox web UI.

Before I set this up in production I am testing this out in a lab, but I am not having any luck with this. I've made the host firewall config changes but I am not getting the desired results (still have access from everywhere)

My host's IP is 10.12.18.230 and the management station IP is 10.12.18.61. So I set up an alias with 10.12.18.61 as "MGTipaddress", I then changed the datacenter default policy to drop. Then I created a firewall rule "type:" in and "source:" MGTipaddress.

I expected this to lock down the access so I can only access 10.12.18.230 from 10.12.18.61. However, I am able to access it from any IP on this subnet.

Have a look at the screenshots - have I missed something?
 

Attachments

  • pmfw.png
    pmfw.png
    129.1 KB · Views: 18

breakaway9000

Active Member
Dec 20, 2015
71
9
28
Hmm, I just enabled it, no change.

Even with the rule disabled, shouldn't I have locked myself out fully from the system - with the default input policy set to "DROP" and the firewall enabled?
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,789
403
103
Austria
www.proxmox.com
what is the output of

# pve-firewall localnet

The fw adds special allow rules for the local/cluster network. In that case you need to add drop rules for that network manually.
 

breakaway9000

Active Member
Dec 20, 2015
71
9
28
I see, so it basically adds an "anti-lockout" rule on the local subnet that the management interface is on, and I need to add manual drop rules?

Code:
# pve-firewall localnet
local hostname: pve
local IP address: 10.12.18.230
network auto detect: 10.12.18.0/24
using detected local_network: 10.12.18.0/24
 

dietmar

Proxmox Staff Member
Staff member
Apr 28, 2005
16,789
403
103
Austria
www.proxmox.com
I see, so it basically adds an "anti-lockout" rule on the local subnet that the management interface is on, and I need to add manual drop rules?

If you run

# pve-firewall compile

you will see the following rules in chain PVEFW-HOST-IN:

-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN

And the local network is automatically added to that PVEFW-0-management-v4 ipset ..
But they only match if you connect from within that network!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!