IPFilter vs IPSet

[poxin]

Hi All,

Just signed up for a subscription and looking to go production with Proxmox and migrate our existing infrastructure to it. Still have some confusion regarding IPFilter and IPSet options in the firewall.

Ultimately trying to prevent IP spoofing for both VMs and containers. Does enabling the IP Filter in the firewall options accomplish the same thing as creating a IPSet for 'ipfilter-net0' with the IP entered IP/CIDR?

The documentation for IPFilter states: "Enable default IP filters. This is equivalent to adding an empty ipfilter-net<id> ipset for every interface."

I'm not sure if an empty ipfilter-net will accomplish the same thing or if I should explicitly define them in IPSets instead.

 

[Rhinox]

AFAIK, pve-firewall is just front-end for iptables. Set of rules for VM is created in /etc/pve/firewall/VM-id/*.fw so you can check it there if it looks similar to what you expect...

But personally, I do not recommend using PVE-firewall for anything else but filtering access to PVE-host. Filtering for VMs/containers should be done either inside of them, or even better using firewall-appliance (running as VM) i.e. pfsense, untangle, sophos, etc.

 

[Ciprian Tomoiaga]

@Rhinox why do you not recommend PVE-firewall for VMs ? What are the advantages of doing it inside the VM? Thank you

 

[spirit]

it's better to do it on hypervisor for performance.

a virtio-net nic is limited around 400k pps, you in case of synflood or attack, you can overload it easily.

 

[harmonyp]

Can anyone explain the difference was looking into this myself today and found this old thread. Looks like it didn't get a response other than suggesting not to use the firewall.

 

[ph0x]

IPSets are user-configurable sets of addresses or networks. They can be defined for virtually everything you want to be able to use within the firewall rules, e.g. a certain server, a certain network or a couple of admin PCs. It's an alias, so that you don't have to add rules with the same addresses over and over again.
The IPFilter is responsible to not let any other IP address pass from inside the VM than the one that was defined, in order to prohibite IP address spoofing.
So, these are two quite different things, after all.

 

[harmonyp]

How/Where do you set these IPSet?

The only thing I have found is which is not in the GUI anywhere?

# /etc/pve/firewall/cluster.fw

[IPSET blacklist]
77.240.159.182
213.87.123.0/24

Is there a easy way to do a cluster wide port block rather than IP ranges. I have only found security groups but they need to be manually managed for each VM.

 

[ph0x]

You can define security groups on datacenter level and use them in VM rules.
IPSets can also be defined on datacenter or on VM level.
Clusterwide, as in every VM, is only possible if you have a NAT, so that everything goes through your host. With a bridged network you will have to setup a firewall for every VM.