Firewalling question - securing the management interfaces

breakaway9000

Renowned Member
Dec 20, 2015
91
21
73
Hello,

I've got a Proxmox server that I need to connect to the internet directly (it is a hosted dedicated server).

I then have a single IPv4 and IPv6 addresses provided by the hosting provider which will be assigned to this server. An additional IPv4 subnet and additional IPv6 subnets will be then routed through to this host to allow me to assign to the VMs.

I will run pfSense to manage this, however I am currently trying to figure out how to use the builtin firewall inside Proxmox to secure the management interface (i.e. the single iPv4 and IPv6 addresses) so that only trusted hosts may access the proxmox web UI.

Before I set this up in production I am testing this out in a lab, but I am not having any luck with this. I've made the host firewall config changes but I am not getting the desired results (still have access from everywhere)

My host's IP is 10.12.18.230 and the management station IP is 10.12.18.61. So I set up an alias with 10.12.18.61 as "MGTipaddress", I then changed the datacenter default policy to drop. Then I created a firewall rule "type:" in and "source:" MGTipaddress.

I expected this to lock down the access so I can only access 10.12.18.230 from 10.12.18.61. However, I am able to access it from any IP on this subnet.

Have a look at the screenshots - have I missed something?
 

Attachments

  • pmfw.png
    pmfw.png
    129.1 KB · Views: 28
Hmm, I just enabled it, no change.

Even with the rule disabled, shouldn't I have locked myself out fully from the system - with the default input policy set to "DROP" and the firewall enabled?
 
what is the output of

# pve-firewall localnet

The fw adds special allow rules for the local/cluster network. In that case you need to add drop rules for that network manually.
 
I see, so it basically adds an "anti-lockout" rule on the local subnet that the management interface is on, and I need to add manual drop rules?

Code:
# pve-firewall localnet
local hostname: pve
local IP address: 10.12.18.230
network auto detect: 10.12.18.0/24
using detected local_network: 10.12.18.0/24
 
I see, so it basically adds an "anti-lockout" rule on the local subnet that the management interface is on, and I need to add manual drop rules?

If you run

# pve-firewall compile

you will see the following rules in chain PVEFW-HOST-IN:

-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN

And the local network is automatically added to that PVEFW-0-management-v4 ipset ..
But they only match if you connect from within that network!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!