How to monitor and control access to admin interface

R

rcd

Active Member
Jul 12, 2019
245
23
38
62
The Firewall Wiki page https://pve.proxmox.com/wiki/Firewall explains
If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network.

I think quite a lot of Proxmox users have the server in a remote located datacenter, so local network isn't an option. I'd like if someone could give a more clear explanation of how to just block the access to port 8006 without affecting the traffic anywhere else.

I can of course just setup a couple of iptables lines to accomplish the objective, but it seems pointless to have a firewall interface and then not using it.

The Wiki page also claim that "The cluster wide firewall configuration is stored at: /etc/pve/firewall/cluster.fw". It isn't on my server - no firewall directory exist under /etc/pve. Could be it just needs to be created, but it could also be that the documentation is outdated, and I lock myself out if I start messing with it.

It would be nice with an example explaining how to setup a basic access control to only allow access to GUI and perhaps SSH from given IP addresses.

It would also be nice to know where login activity for the GUI is logged. Nothing is logged under /var/log, perhaps somewhere else? Surely Proxmox must be logging login activitiy on the GUI?
 
rcd said:
The Firewall Wiki page https://pve.proxmox.com/wiki/Firewall explains
If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network.

I think quite a lot of Proxmox users have the server in a remote located datacenter, so local network isn't an option. I'd like if someone could give a more clear explanation of how to just block the access to port 8006 without affecting the traffic anywhere else.

I can of course just setup a couple of iptables lines to accomplish the objective, but it seems pointless to have a firewall interface and then not using it.

The Wiki page also claim that "The cluster wide firewall configuration is stored at: /etc/pve/firewall/cluster.fw". It isn't on my server - no firewall directory exist under /etc/pve. Could be it just needs to be created, but it could also be that the documentation is outdated, and I lock myself out if I start messing with it.
Click to expand...

It is created when firewall is activated via GUI, but creating manually will also have effect.


rcd said:
It would be nice with an example explaining how to setup a basic access control to only allow access to GUI and perhaps SSH from given IP addresses.
Click to expand...
It's quite simple: just open the firewall dialogue and specify requestet source address, protocol tcp and 8006 as destination port.

rcd said:
It would also be nice to know where login activity for the GUI is logged. Nothing is logged under /var/log, perhaps somewhere else? Surely Proxmox must be logging login activitiy on the GUI?
Click to expand...

Can be seen in /var/log/syslog, e.g.:
Code: 
Jan  3 07:09:09 pvenode pvedaemon[3038]: <root@pam> successful auth for user 'root@pam'

as well as more details in /var/log/pveproxy/access.log
 
Hi Richard,
Thanks for the update, very interesting!

1)

So what exactly is logged in /var/log/pveproxy/access.log - presumably activities on port 8006?

I have an iptables rule that block traffic to port 8006 (and 22) except from my IP address:

Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- my.static.ip.address 0.0.0.0/0 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8006 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination

yet I see this line in the log - and the IP is not my static ip address:

185.142.236.34 - - [09/01/2020:05:54:45 +0000] "GET / HTTP/1.1" 501 -

Any idea what happened?

2)

So first the firewall rules can be added under the pve device, then the fireall can be enabled under the "datacenter view"? I am a little confused with how some things are split between datacenter view and the pve, but I guess it makes sense in some way.

Which values are accepted in the firewall rules form - I guess standard CIDR for IP addresses and comma-separated lists for ports? Anything else? port ranges?
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back