IPFilter vs IPSet

poxin

Well-Known Member
Jun 27, 2017
70
6
48
Hi All,

Just signed up for a subscription and looking to go production with Proxmox and migrate our existing infrastructure to it. Still have some confusion regarding IPFilter and IPSet options in the firewall.

Ultimately trying to prevent IP spoofing for both VMs and containers. Does enabling the IP Filter in the firewall options accomplish the same thing as creating a IPSet for 'ipfilter-net0' with the IP entered IP/CIDR?

The documentation for IPFilter states: "Enable default IP filters. This is equivalent to adding an empty ipfilter-net<id> ipset for every interface."

I'm not sure if an empty ipfilter-net will accomplish the same thing or if I should explicitly define them in IPSets instead.
 
AFAIK, pve-firewall is just front-end for iptables. Set of rules for VM is created in /etc/pve/firewall/VM-id/*.fw so you can check it there if it looks similar to what you expect...

But personally, I do not recommend using PVE-firewall for anything else but filtering access to PVE-host. Filtering for VMs/containers should be done either inside of them, or even better using firewall-appliance (running as VM) i.e. pfsense, untangle, sophos, etc.
 
Can anyone explain the difference was looking into this myself today and found this old thread. Looks like it didn't get a response other than suggesting not to use the firewall.
 
IPSets are user-configurable sets of addresses or networks. They can be defined for virtually everything you want to be able to use within the firewall rules, e.g. a certain server, a certain network or a couple of admin PCs. It's an alias, so that you don't have to add rules with the same addresses over and over again.
The IPFilter is responsible to not let any other IP address pass from inside the VM than the one that was defined, in order to prohibite IP address spoofing.
So, these are two quite different things, after all. :)
 
Last edited:
  • Like
Reactions: harmonyp
How/Where do you set these IPSet?

The only thing I have found is which is not in the GUI anywhere?

Code:
# /etc/pve/firewall/cluster.fw

[IPSET blacklist]
77.240.159.182
213.87.123.0/24

Is there a easy way to do a cluster wide port block rather than IP ranges. I have only found security groups but they need to be manually managed for each VM.
 
Last edited:
You can define security groups on datacenter level and use them in VM rules.
IPSets can also be defined on datacenter or on VM level.
Clusterwide, as in every VM, is only possible if you have a NAT, so that everything goes through your host. With a bridged network you will have to setup a firewall for every VM.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!