How to block port nfs from one pve ?

[theseris]

Hi,

I'm new, but I thoroughly go through dozens and dozens of threads already on the proxmox forum.
I know I know it is a subject which has been asked before many times but without a very good answer.

1/So I've tried to block the 111 and the 2049 ports on each of my node on the pve part of the UI. => nothing . It is still reachable. and the firewall on the br0 is activated
So first question => what is the purpose of the firewall on the pve side? Because clearly it is not clear from the documentation itself. What purpose does it have?

2/ I've tried to block on the cluster part of the UI(even so I don't have a cluster) side but so of course I forgot to open the policy so I did not have access anymore to that specific node and I need to reinstall it of course.... But then does that mean that only the firewall registered as the cluster one is the only effective?

I don't want to uninstall the service. THAT SHOULD NOT be the solution.

So apparently I'm not smart enough nor to comprehend as itself the documentaiton (since it is lacking according to what I understand) nor to comprehend the "maybe?" solutions which I read on the different threads. So is someone capable of explaining to me what am I missing and the interrogation point that I have?

Thank you for your assistance

 

[Chris]

Hi,
in order for the firewall to have effect, it first of all must be enabled on the datacenter level. Further, you can then enable it for individual nodes/VMs/CTs and add custom rules (or create security groups and use these). For VMs/CTs there is an additional option to enable/disable the firewall on a NIC level, so also make sure that these are configured accordingly.

So first of all, where is the service you are trying to block running? Within a CT/VM or on the host itself?

the firewall on the br0 is activated

what do you mean by this? Are you referring to vmbr0 here?

but so of course I forgot to open the policy so I did not have access anymore to that specific node and I need to reinstall it of course.

There are default rules in place which prevent you from locking yourself out, unless you explicitly blocked all traffic to that node, in that case you will have to connect to the physical machine. Have you checked if you can access the node via ssh?

 

[theseris]

that's exactly one of the example of the documentation I don't understand.
What is this datacenter level?
For a layman like me there is the node level and the cluster level. So is the DATACENTER simply the name of the entry menu you put which coul d change over the years? or Is it the DATACENTER as meaning of the fact that since you have a dedicated server to make proxmox run then you are obviously in some kind of DATACENTER and so it is the firewall of the DATACENTER which is responsible.

the NFS port is on the node level, not on VM or CT. Node Level so one of the pve. And obviously I don't want to get rid of the services so what does it mean? IS then the firewall of a node only responsible for the VM access ?

by br0 I meant

vmbr0

of course.

Yes I did check that I m not able to reach proxmox on that specific node where I conduct the experiment in any way.
But it can make sense if you tell me that the firewall in the DATACENTER entry of the left menu needs to be configured and considered by default as inactive and dropping everything from external (which is quite an important point if your an in DC without the access of the host) if not configured explicitly to accept specific ports from specific sources.
And that the pvex firewall which is the node level is actually for only the transit of data on specific interface linked to the different VM and CT?

Sorry maybe it is a bit confused but that's just the flow how it came out.

 

[Chris]

What is this datacenter level?
For a layman like me there is the node level and the cluster level. So is the DATACENTER simply the name of the entry menu you put which coul d change over the years? or Is it the DATACENTER as meaning of the fact that since you have a dedicated server to make proxmox run then you are obviously in some kind of DATACENTER and so it is the firewall of the DATACENTER which is responsible.

With datacenter level the cluster firewall rules and settings are intended. You can edit these via Datacenter > Firewall or by editing the corresponding configuration file located at /etc/pve/firewall/cluster.fw, as described in the docs [0]. These configurations will take effect on all nodes in the cluster, being set by the pve-firewall service. If you have some means of access to one of the nodes, disabling the firewall there should allow you to regain access, as it disables the firewall for all nodes.

the NFS port is on the node level, not on VM or CT. Node Level so one of the pve. And obviously I don't want to get rid of the services so what does it mean? IS then the firewall of a node only responsible for the VM access ?

Okay, so if the NFS share is provided by a node of the cluster and not by a VM/CT, you can specify the rules to block access on the node level. Node level rules [1], allow to override rules from the datacenter level, e.g. you can limit the incoming tcp traffic to a port for this node, allowing some exception by setting an allow rule for a specific subset of client which should reach the share, followed by a drop rule for the traffic not matched by the previous one. <Nodename> > Firewall allows you to inspect and edit these in the WebUI.

And that the pvex firewall which is the node level is actually for only the transit of data on specific interface linked to the different VM and CT?

Traffic to/from containers and VMs has its own set of rules, as this traffic is not inbound to the PVE host itself, but rather forwarded to the guest. There is a dedicated configuration for these [2], or again via the WebUI by <VM/CT> > Firewall.

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_configuration_files
[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_host_specific_configuration
[2] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_vm_container_configuration