How to combine LFD with cluster level firewall?

justjosh

Member
Nov 4, 2019
73
0
6
55
I'm getting a bunch of BF attacks on my HV's ports. I tried using CSF but it messes up connectivity on the VM level. VMs have their own public facing IPs.
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
4,311
539
118
sorry but what does:
* LFD
* BF
* CSF

mean?!

I assume HV means hypervisor and VM means virtual machine
 

LnxBil

Famous Member
Feb 21, 2015
5,480
596
133
Germany
We do LFD with fail2ban on each guest, so that it adds a layer to the general firewall on the PVE side (only allow what we want and do virtual DMZ). The PVE firewall itself is "just" the stateless iptables firewall, so it is not and will not be able to do more than that.

You can however insert a new chain/table in INPUT/FORWARDING and do your own stuff.
 
  • Like
Reactions: Stoiko Ivanov

justjosh

Member
Nov 4, 2019
73
0
6
55
We do LFD with fail2ban on each guest, so that it adds a layer to the general firewall on the PVE side (only allow what we want and do virtual DMZ). The PVE firewall itself is "just" the stateless iptables firewall, so it is not and will not be able to do more than that.

You can however insert a new chain/table in INPUT/FORWARDING and do your own stuff.
Do you use popular blacklists as well? Might be a little intrusive on the guests? Would the popular blacklists save a lot of headache?
 

LnxBil

Famous Member
Feb 21, 2015
5,480
596
133
Germany
Do you use popular blacklists as well? Might be a little intrusive on the guests? Would the popular blacklists save a lot of headache?

For better security, I'd use a IDS that sits in between and can do more than just stateful package filtering.
 

luison

Active Member
Feb 22, 2010
80
1
28
Spain
alsur.es
Hi. Sorry to jump on this post but I am quite interested in the fail2ban/csf/lfd on the lxc containers.
We currently run CSF on the host and on the containers with public and private ip address at OVH. We understand the firewall part is somehow redundant on the private (10.0.0.X) containers as all we see on the firewall part is reports of ips trying to reach the PVE host.
I am wondering if you found a way for CSF only to act on the local IP part on the container.

On the other hand on the LFD part we are considering using its advance regexp rules to monitor logs to ban IPs that get reported on httpd servers log for example in the manner of fail2ban as I thought you could not used LFD and fail2ban at the same time. Thanks.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!