Hello
I have an issue with the way https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_ipfilter_section is working. First I'd like to clarify that Firewall is enabled at DC, Server and VM level.
VM firewall options:
Focusing on the /etc/pve/firewall# cat 584.fw output/settings:
If I have this firewall config, then vm will still be able to set any IP at their network interface such as 95.12.124.156 and get traffic from it:
I managed to get IP filtering to work by setting "policy_in: DROP" and then adding a firewall rule that would only allow traffic from the IPSET ipfilter-net0. But surely this should not be required?
VM is set to use vmbr0 as bridge and I have this network config at my proxmox install:
I need help fixing / understanding why ipfilter is not working on my proxmox server.
Many thanks!
I have an issue with the way https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_ipfilter_section is working. First I'd like to clarify that Firewall is enabled at DC, Server and VM level.
VM firewall options:
Focusing on the /etc/pve/firewall# cat 584.fw output/settings:
If I have this firewall config, then vm will still be able to set any IP at their network interface such as 95.12.124.156 and get traffic from it:
Code:
/etc/pve/firewall# cat 584.fw
[OPTIONS]
enable: 1
policy_out: ACCEPT
ipfilter: 1
policy_in: ACCEPT
[IPSET ipfilter-net0]
95.12.124.154 # Assigned
::1 # Interface with no v6 IPsI managed to get IP filtering to work by setting "policy_in: DROP" and then adding a firewall rule that would only allow traffic from the IPSET ipfilter-net0. But surely this should not be required?
Code:
/etc/pve/firewall# cat 584.fw
[OPTIONS]
enable: 1
policy_out: ACCEPT
ipfilter: 1
policy_in: DROP
[IPSET ipfilter-net0]
95.12.124.154 # Assigned
::1 # Interface with no v6 IPs
[RULES]
IN ACCEPT -dest +guest/ipfilter-net0 -log nologVM is set to use vmbr0 as bridge and I have this network config at my proxmox install:
Code:
/etc/network# cat interfaces
auto lo
iface lo inet loopback
iface enp67s0f1np1 inet manual
mtu 9000
iface enp67s0f0np0 inet manual
mtu 9000
auto bond0
iface bond0 inet manual
bond-slaves enp67s0f0np0 enp67s0f1np1
bond-mode 802.3ad
bond-miimon 100
bond-downdelay 200
bond-updelay 200
bond-lacp-rate 1
mtu 9000
auto vmbr0
iface vmbr0 inet manual
mtu 9000
bridge-ports bond0
bridge-stp off
bridge-fd 0
address 95.12.124.9/24
gateway 95.12.124.1
vlan-raw-device bond0
bridge_vlan_aware yes
bridge-vids 1000 500
iface vmbr0 inet6 manual
mtu 9000
bridge-ports bond0
bridge-stp off
bridge-fd 0
address 2001:241::9/36
gateway 2001:241::1
vlan-raw-device bond0
bridge_vlan_aware yes
bridge-vids 1000 500
auto vmbr0.500
iface vmbr0.500 inet static
mtu 9000
address 10.0.0.9/24
gateway 10.0.0.1
vlan-raw-device bond0
auto vmbr0.1000
iface vmbr0.1000 inet manual
vlan-raw-device vmbr0
source /etc/network/interfaces.d/*I need help fixing / understanding why ipfilter is not working on my proxmox server.
Many thanks!
Last edited: