Hello,
I'm trying to set up host based firewall. There are two hosts which run Proxmox (latest version) and I just want to secure them via host based firewall. I understand that the firewall is applied in that way - datacenter -> hosts -> vms. So I made some ip sets for easy recognition of the host entries and easy reconfiguration in case of ip change. The issues I'm hitting is based on corosync cluster communication (1) and some strange errors in logs for undefined variables (2).
I will post some configs to ensure everybody understand what I'm saying.
So there are two network card, eth0 is the external network card, which is connected to the switch. It works as a trunk port and delivers traffic to VM's.
eth1 is the internal card which is directly connected to the other server via back to back technic.
So the ip addresses of the network cards is as follow: eth0 - 192.168.0.2 and eth1 is 10.9.8.6.
There is also two ring buffers for these separated networks.
Here is the configuration of the firewall:
The host firewall:
So when I start the firewall and reboot the boxes, I'm watching the syslog and get these errors:
There is a issue only with external card communication, the ring buffer 0. Another one is good, I mean the communication via eth1 and ring buffer 1.
Look that I'm using Unicast traffic, I don't really know is it that an issue?
The last one is the errors which I'm seeing but I really don't know why. I think these variables is pushed to the hosts via cluster configuration..
I'm trying to set up host based firewall. There are two hosts which run Proxmox (latest version) and I just want to secure them via host based firewall. I understand that the firewall is applied in that way - datacenter -> hosts -> vms. So I made some ip sets for easy recognition of the host entries and easy reconfiguration in case of ip change. The issues I'm hitting is based on corosync cluster communication (1) and some strange errors in logs for undefined variables (2).
I will post some configs to ensure everybody understand what I'm saying.
Code:
root@proxmox-node-1.home.lan:~# cat /etc/pve/corosync.conf
logging {
debug: off
to_syslog: yes
}
nodelist {
node {
name: proxmox-node-1
nodeid: 1
quorum_votes: 1
ring0_addr: proxmox-node-1
ring1_addr: proxmox-node-1c
}
node {
name: proxmox-node-2
nodeid: 2
quorum_votes: 1
ring0_addr: proxmox-node-2
ring1_addr: proxmox-node-2c
}
}
quorum {
provider: corosync_votequorum
two_node: 1
}
totem {
cluster_name: proxmox
transport: udpu
rrp_mode: passive
config_version: 5
interface {
bindnetaddr: 192.168.0.0
ringnumber: 0
}
interface {
bindnetaddr: 10.9.8.0
ringnumber: 1
}
ip_version: ipv4
secauth: on
version: 2
}
root@proxmox-node-1.home.lan:~#
So there are two network card, eth0 is the external network card, which is connected to the switch. It works as a trunk port and delivers traffic to VM's.
eth1 is the internal card which is directly connected to the other server via back to back technic.
So the ip addresses of the network cards is as follow: eth0 - 192.168.0.2 and eth1 is 10.9.8.6.
There is also two ring buffers for these separated networks.
Here is the configuration of the firewall:
Code:
root@proxmox-node-1.home.lan:~# cat /etc/pve/firewall/cluster.fw
[OPTIONS]
enable: 0
ebtables: 0
[ALIASES]
nagios_server 192.168.0.9 # The Nagios3 server
dns_server 192.168.0.7 # The DNS server
monitoring_server 192.168.0.10 # The Monitoring server
puppet_server 192.168.10.18 # The Puppet server
qnap_storage 192.168.0.5 # The QNAP storage
firebat_server 192.168.10.9 # The Firebat server
[IPSET dmz_network] # Vlan3 (192.168.10.0/24)
192.168.10.0/24 # DMZ Network
[IPSET guest_network] # Vlan4 (192.168.20.0/24)
192.168.20.0/24 # Guest Network
[IPSET lan_network] # Vlan2 (192.168.0.0/24)
192.168.0.0/24 # Lan Network
[IPSET management_ipset] # Trusted IP's of KpuCko's computers
192.168.0.15 # KpuCko's Win10 Tower PC
192.168.0.16 # KpuCko's T430S Laptop PC
[IPSET management_network] # Vlan5 (192.168.30.0/24)
192.168.30.0/24 # Management Network
[IPSET nodes_ipset_external] # Access to Proxmox servers
192.168.0.2 # Proxmox Node 1 (external interface)
192.168.0.23 # Proxmox VIP (VRRP interface)
192.168.0.3 # Proxmox Node 2 (external interface)
[IPSET nodes_ipset_internal] # Access to the Proxmox servers
10.9.8.6 # Proxmox Node 1 (internal interface)
10.9.8.7 # Proxmox Node 2 (internal interface)
[RULES]
IN ACCEPT -p icmp # Allow ICMP protocol
IN DNS(ACCEPT) -dest dns_server # Allow DNS to the DNS server
IN ACCEPT -source monitoring_server -p udp -dport 8089 # Allow InfluxDB to the Monitoring server
IN SNMP(ACCEPT) -source monitoring_server # Allow SNMP to all nodes
IN SMTP(ACCEPT) -dest firebat_server # Allow SMTP to the Firebat server
IN ACCEPT -source nagios_server -p tcp -dport 5666 # Allow NRPE requests from the Nagios3 server
IN Munin(ACCEPT) -source nagios_server # Allow Munin requests from Nagios3 server
[group management] # Rule to allow management access to the Proxmox servers
IN ACCEPT -source +nodes_ipset_internal -dest +nodes_ipset_internal # Allow internal communication (corosync, ssh)
IN ACCEPT -source +nodes_ipset_external -dest +nodes_ipset_external # Allow external communication (corosync, ssh)
IN ACCEPT -source +management_ipset -dest +nodes_ipset_external -p tcp -dport 2224 # Allow Pacemaker WebGUI to the nodes
IN ACCEPT -source +management_ipset -dest +nodes_ipset_external -p tcp -dport 3128 # Allow VNC to the nodes
IN Web(ACCEPT) -source +management_ipset -dest +nodes_ipset_external # Allow WEB to the nodes
IN ACCEPT -source +management_ipset -dest +nodes_ipset_external -p tcp -dport 8006 # Allow WebGUI access to the nodes
IN SSH(ACCEPT) -source +management_ipset -dest +nodes_ipset_external # Allow SSH to the nodes
IN ACCEPT -source +management_ipset -dest +nodes_ipset_external -p tcp -dport 5900:5999 # Allow VNC Web console
root@proxmox-node-1.home.lan:~#
The host firewall:
Code:
root@proxmox-node-1.home.lan:~# cat /etc/pve/nodes/proxmox-node-1/host.fw
[RULES]
IN ACCEPT -dest +nodes_ipset_external -p udp -dport 5404:5405 # Allow Corosync to external network card
IN ACCEPT -source +nodes_ipset_external -p udp -dport 5404:5405 # Allow Corosync to external network card
GROUP management # Allow Management access to the nodes
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 32764:32769 # Allow NFS to the QNAP storage
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 32764:32769 # Allow NFS to the QNAP storage
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 2049 # Allow NFS to the QNAP storage
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 2049 # Allow NFS to the QNAP storage
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 111 # Allow NFS to the QNAP storage
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 111 # Allow NFS to the QNAP storage
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 3493 # Allow NUT to QNAP storage
IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 3493 # Allow NUT to QNAP storage
IN ACCEPT -source qnap_storage -dest +nodes_ipset_external -p udp -dport 3493 # Allow NUT to QNAP storage
IN ACCEPT -source qnap_storage -dest +nodes_ipset_external -p tcp -dport 3493 # Allow NUT to QNAP storage
root@proxmox-node-1.home.lan:~#
So when I start the firewall and reboot the boxes, I'm watching the syslog and get these errors:
Code:
Jan 12 09:40:38 proxmox-node-1 corosync[2561]: error [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:40:38 proxmox-node-1 corosync[2561]: [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:40:39 proxmox-node-1 corosync[2561]: notice [TOTEM ] Automatically recovered ring 0
Jan 12 09:40:39 proxmox-node-1 corosync[2561]: [TOTEM ] Automatically recovered ring 0
Jan 12 09:41:00 proxmox-node-1 systemd[1]: Starting Proxmox VE replication runner...
Jan 12 09:41:00 proxmox-node-1 systemd[1]: Started Proxmox VE replication runner.
Jan 12 09:41:05 proxmox-node-1 snmpd[2059]: error on subcontainer 'ia_addr' insert (-1)
Jan 12 09:41:18 proxmox-node-1 corosync[2561]: error [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:41:18 proxmox-node-1 corosync[2561]: [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:41:19 proxmox-node-1 corosync[2561]: notice [TOTEM ] Automatically recovered ring 0
Jan 12 09:41:19 proxmox-node-1 corosync[2561]: [TOTEM ] Automatically recovered ring 0
Jan 12 09:41:35 proxmox-node-1 snmpd[2059]: error on subcontainer 'ia_addr' insert (-1)
Jan 12 09:41:40 proxmox-node-1 corosync[2561]: error [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:41:40 proxmox-node-1 corosync[2561]: [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:41:41 proxmox-node-1 corosync[2561]: notice [TOTEM ] Automatically recovered ring 0
Jan 12 09:41:41 proxmox-node-1 corosync[2561]: [TOTEM ] Automatically recovered ring 0
Jan 12 09:42:00 proxmox-node-1 systemd[1]: Starting Proxmox VE replication runner...
Jan 12 09:42:00 proxmox-node-1 systemd[1]: Started Proxmox VE replication runner.
Jan 12 09:42:05 proxmox-node-1 snmpd[2059]: error on subcontainer 'ia_addr' insert (-1)
Jan 12 09:42:07 proxmox-node-1 corosync[2561]: error [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:42:07 proxmox-node-1 corosync[2561]: [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:42:10 proxmox-node-1 corosync[2561]: notice [TOTEM ] Automatically recovered ring 0
Jan 12 09:42:10 proxmox-node-1 corosync[2561]: [TOTEM ] Automatically recovered ring 0
Jan 12 09:42:35 proxmox-node-1 snmpd[2059]: error on subcontainer 'ia_addr' insert (-1)
Jan 12 09:42:38 proxmox-node-1 corosync[2561]: error [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:42:38 proxmox-node-1 corosync[2561]: [TOTEM ] Marking ringid 0 interface 192.168.0.2 FAULTY
Jan 12 09:42:40 proxmox-node-1 corosync[2561]: notice [TOTEM ] Automatically recovered ring 0
Jan 12 09:42:40 proxmox-node-1 corosync[2561]: [TOTEM ] Automatically recovered ring 0
There is a issue only with external card communication, the ring buffer 0. Another one is good, I mean the communication via eth1 and ring buffer 1.
Look that I'm using Unicast traffic, I don't really know is it that an issue?
The last one is the errors which I'm seeing but I really don't know why. I think these variables is pushed to the hosts via cluster configuration..
Code:
Jan 12 09:37:49 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 15) - errors in rule parameters: IN ACCEPT -source qnap_storage -dest +nodes_ipset_external -p tcp -dport 3493 # Allow NUT to QNAP storage
Jan 12 09:37:49 proxmox-node-1 pveproxy[2766]: dest: no such ipset 'nodes_ipset_external'
Jan 12 09:37:49 proxmox-node-1 pveproxy[2766]: source: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 3) - errors in rule parameters: IN ACCEPT -dest +nodes_ipset_external -p udp -dport 5404:5405 # Allow Corosync to external network card
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 4) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -p udp -dport 5404:5405 # Allow Corosync to external network card
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 6) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 32764:32769 # Allow NFS to the QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 7) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 32764:32769 # Allow NFS to the QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 8) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 2049 # Allow NFS to the QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 9) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 2049 # Allow NFS to the QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 10) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 111 # Allow NFS to the QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 11) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 111 # Allow NFS to the QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 12) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p udp -dport 3493 # Allow NUT to QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 13) - errors in rule parameters: IN ACCEPT -source +nodes_ipset_external -dest qnap_storage -p tcp -dport 3493 # Allow NUT to QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 14) - errors in rule parameters: IN ACCEPT -source qnap_storage -dest +nodes_ipset_external -p udp -dport 3493 # Allow NUT to QNAP storage
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: source: no such alias 'qnap_storage'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: dest: no such ipset 'nodes_ipset_external'
Jan 12 09:37:52 proxmox-node-1 pveproxy[2766]: /etc/pve/local/host.fw (line 15) - errors in rule parameters: IN ACCEPT -source qnap_storage -dest +nodes_ipset_external -p tcp -dport 3493 # Allow NUT to QNAP storage