Hello,
this is a noob question but I'm unable to figure out how to check if I set all the stuff "the right way".
I already read the docs: https://pve.proxmox.com/wiki/Firewall
I have a PVE 7.1-12 installation with one Node in bridged mode.
All the VMs are configured the same way and they act as classic LEMP webserver.
I want all the VMs to accept incoming connection on tcp 80, 443,custom ssh port (not the standard 22).
I also want to accept ICMP (ping requests) on a VM level.
I set at Datacenter level:
Firewall: Y
ebtables: Y
Input Policy: DROP
Output Policy: ACCEPT
I also created a "Security group" which contains ACCEPT rule for the destination ports mentioned (except ICMP)
At NODE level I have:
Firewall: Y
SMURFS filter: Y
TCP Flags: Y
Firewall has 2 rules:
#0 security group (the one I created at DC level)
#1 in DROP
So I expect to block all traffic except for ports inserted in the sec group.
At VM level:
Hardware > Network > Firewall ON
Firewall > Options:
#0 security group (the one I created at DC level)
Firewall: Yes
Input Policy: DROP
Output Policy: ACCEPT
The other questions are the following:
1 - When exactly firewall rules are applied? Is there some delay or I can expect instant execution after setting a rule from GUI?
2 -is there a way to simplify the above setup?
3 - is it right to Replicate the security group at NODE level and VM level or I can omit the VM by setting its input policy to ACCEPT?
Thanks in advance
this is a noob question but I'm unable to figure out how to check if I set all the stuff "the right way".
I already read the docs: https://pve.proxmox.com/wiki/Firewall
I have a PVE 7.1-12 installation with one Node in bridged mode.
All the VMs are configured the same way and they act as classic LEMP webserver.
I want all the VMs to accept incoming connection on tcp 80, 443,custom ssh port (not the standard 22).
I also want to accept ICMP (ping requests) on a VM level.
I set at Datacenter level:
Firewall: Y
ebtables: Y
Input Policy: DROP
Output Policy: ACCEPT
I also created a "Security group" which contains ACCEPT rule for the destination ports mentioned (except ICMP)
At NODE level I have:
Firewall: Y
SMURFS filter: Y
TCP Flags: Y
Firewall has 2 rules:
#0 security group (the one I created at DC level)
#1 in DROP
So I expect to block all traffic except for ports inserted in the sec group.
At VM level:
Hardware > Network > Firewall ON
Firewall > Options:
#0 security group (the one I created at DC level)
Firewall: Yes
Input Policy: DROP
Output Policy: ACCEPT
The other questions are the following:
1 - When exactly firewall rules are applied? Is there some delay or I can expect instant execution after setting a rule from GUI?
2 -is there a way to simplify the above setup?
3 - is it right to Replicate the security group at NODE level and VM level or I can omit the VM by setting its input policy to ACCEPT?
Thanks in advance