I don't understand what Firewall:Yes does on virtual machine?

hendr1x

Member
Dec 14, 2019
28
0
21
41
Hello everyone,
I have 2 security groups. One is applied to the datacenter and allows port 22 access. Another is applied to the virtual machine and allows VPN access. This works fine as far as I can tell.

However, today I found the setting, under a virtual machine => Firewall => Options => Firewall = Yes. When I enable, my virtual machine stops accepting port 22/ssh connections. If I add the datacenter security group directly to the virtual machine it still refuses connection.

Basically, everything seems to work properly with it set to No and it does't work at all if set to Yes. Can someone explain to me what is happening? Thank you?
 
I have 2 security groups. One is applied to the datacenter and allows port 22 access
Thats part of the hidden anti-lockout rules and allowed by default: https://pve.proxmox.com/wiki/Firewall#pve_firewall_default_rules


However, today I found the setting, under a virtual machine => Firewall => Options => Firewall = Yes.
Yes, that enables the VMs firewall so the default policies will kick in which will drop all incoming traffic that is not explcitely allowed by a rule. So without a VM rule that allows port 22 that is blocked too.


If I add the datacenter security group directly to the virtual machine it still refuses connection.
The datacenter rules effect all nodes of a cluster but not the guests. Node rules only affect a host but not the guests.
Only guest rules affect your guest.
So if you want to allow port 22 for a VM and node you need to create a rule for VM+datacenter or VM+node.

And all VM and node firewalls are igbored unless you also enable the datacenter firewall.

I personally like to create a dedicated security group for each VM and node with custom rules specifoc to that VM/node. And in addition to that some security groups for specific services that are used by multiple hosts/VMs like VPN, SSH, HTTP, HTTPS, DNS, monitoring and so on.

Ideally, for best security, you enable the firewall for each node and guest and set all policies to drop everything unless it's explicitely whitelisted by your security groups. I feel like most people here, especially the homelabbers, don't make use of the firewall at all to save some work...
 
Last edited:
  • Like
Reactions: ZipTX
Yes, that enables the VMs firewall so the default policies will kick in which will drop all incoming traffic that is not explcitely allowed by a rule. So without a VM rule that allows port 22 that is blocked too.

Sorry...my security group naming convention I think confused matters. I have a "datacenter" security group...it is currently applied to my datacenter and handles allowing port 22 for a specific IP only. This works perfectly for my hypervisors. I want the same rule to apply my VM. It seems like if I want to implement firewalls for a VM I need to enable it under "virtual machine => Firewall => Options => Firewall = Yes." I also have it enabled on my network device.


My attempt at getting this to work...I applied the "datacenter" security group (enabled) to the VM firewall and I am still not able to connect. I tried removing the IP restriction and just opening up port 22 without restriction and that still did not work. If I disable the the VM Firewall = No I can connect without issue.


Any ideas?
 
Sorry...my security group naming convention I think confused matters. I have a "datacenter" security group...it is currently applied to my datacenter and handles allowing port 22 for a specific IP only. This works perfectly for my hypervisors. I want the same rule to apply my VM. It seems like if I want to implement firewalls for a VM I need to enable it under "virtual machine => Firewall => Options => Firewall = Yes." I also have it enabled on my network device.


My attempt at getting this to work...I applied the "datacenter" security group (enabled) to the VM firewall and I am still not able to connect. I tried removing the IP restriction and just opening up port 22 without restriction and that still did not work. If I disable the the VM Firewall = No I can connect without issue.


Any ideas?
Like I said, rules on datacenter level won't effect VMs. If you only open port 22 on the datacenter firewall level, then you can ssh into the nodes from the internet but the VMs will still block all incoming traffic on port 22 unless you also add a rule to allow incoming traffic on port 22 on the VM firewall level.
 
I thought that applying a security group (the one called "datacenter" but I can rename it) to the VM that declared port 22 open would do that. For some reason it isn't working and I don't understand why. Could it because it is being used at the datacenter level already? Thanks for your patience.
 
Hello

In my current setup, I have two security groups: one applied to the datacenter allowing port 22 access and another applied to a virtual machine for VPN access. Everything was functioning well until I noticed a "Firewall" option within the virtual machine's settings. When I enable this option, the virtual machine stops accepting port 22/ssh connections, even if I add the datacenter security group directly. Strangely, with the option set to "No," everything works fine. I'm seeking an explanation for this behavior.
I have checked https://pve.proxmox.com/wiki/Firewall#pve_firewall_default_rules_Mulesoft Certification for guidence.

Thank you.
 
They explain it all in this thread. The VM is separate and requires all rules applied to it. Just put the security group on the VM as well as the datacenter.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!