Guest level firewall does not block any traffic on guest

U

Urbanovits

Member
Mar 14, 2021
40
3
13
56
HI all,

Playing around with proxmox firewall I found no effect if the firewall enabled on guest ONLY.
Is that normal? Do I need to enable firewall at the top level (cluster or host) to get in proper working order such (on host or even) on guest?


Képernyőkép erről: 2022-08-22 17-32-30.png

I can ping the client or even I have VNC access regardless of Input policy BLOCK rule

VNC showing up
Képernyőkép erről: 2022-08-22 17-35-09.png
 
Last edited:
Moayad said:
Hello,

Yes you have to enable the firewall on top of your cluster.

From our official docs [0]:

Enabling the Firewall for VMs and Containers​

Each virtual network device has its own firewall enable flag. So you can selectively enable the firewall for each interface. This is required in addition to the general firewall enable option.


[0] https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_vm_container_configuration
Click to expand...



Cluster were upgraded form 6.x to 7.x prior FW setup

No change if Cluster level FW enabled. Guest VM still accessible. :(
BTW Hypothetically Cluster/Guest and VM firewall should be managed separately without having dependency on each other.

Shell review

3 node cluster
root@pve03:/bin# cd /etc/pve/nodes/
root@pve03:/etc/pve/nodes# ls
pve02 pve03 pve04
root@pve03:/etc/pve/nodes# cd pve03
root@pve03:/etc/pve/nodes/pve03# ls
lrm_status lxc openvz priv pve-ssl.key pve-ssl.pem qemu-server
root@pve03:/etc/pve/nodes/pve03# cd /etc/pve/firewall
root@pve03:/etc/pve/firewall# ls
137.fw cluster.fw

cluster.fw *inbound enabled
[OPTIONS]
enable: 1
policy_in: ACCEPT

137.fw *inbound NOT enabled
[OPTIONS]
policy_out: ACCEPT
enable: 1

No change in case when 137.fw just contain "enable: 1" without having any policy defined
 
Moayad said:
Can you please also provide us with the VM config qm config <VMID>
Click to expand...
Sure :)

boot: order=scsi0;ide2;net0
cores: 4
ide2: local:iso/linuxfx-10.8.1.106-cinnamon-w7.iso,media=cdrom,size=4445280K
memory: 6192
meta: creation-qemu=6.2.0,ctime=1660983888
name: LinuxFX-Win7-Magyar
net0: virtio=F6:69:FF:4C:B1:01,bridge=vmbr0,firewall=1
numa: 0
ostype: l26
scsi0: ClusterStor2:vm-137-disk-0,size=32G
scsihw: virtio-scsi-pci
smbios1: uuid=374f1203-8eb7-4550-80ab-be31079f4335
sockets: 2
vmgenid: b1d62663-14fa-4d2a-b6e7-448ec575de38

root@pve03:/etc/pve/qemu-server# qm config 137
boot: order=scsi0;ide2;net0
cores: 4
ide2: local:iso/linuxfx-10.8.1.106-cinnamon-w7.iso,media=cdrom,size=4445280K
memory: 6192
meta: creation-qemu=6.2.0,ctime=1660983888
name: LinuxFX-Win7-Magyar
net0: virtio=F6:69:FF:4C:B1:01,bridge=vmbr0,firewall=1
numa: 0
ostype: l26
scsi0: ClusterStor2:vm-137-disk-0,size=32G
scsihw: virtio-scsi-pci
smbios1: uuid=374f1203-8eb7-4550-80ab-be31079f4335
sockets: 2
vmgenid: b1d62663-14fa-4d2a-b6e7-448ec575de38
 
Last edited:
Can you please also post the output of /etc/pve/local/host.fw file to see if you enabled the firewall in the host as well?
 
It is no existing file
root@pve03:/etc/pve/local# ls
lrm_status lxc openvz priv pve-ssl.key pve-ssl.pem qemu-server

But
Host FW on GUI showing this
*on that host I have a NAT-ed switch

Képernyőkép erről: 2022-08-23 11-29-01.png
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back