[IPSET ipfilter-net0] - not working unless I add vm specific firewall rule to only allow traffic from the IPSET

[David123]

Hello

I have an issue with the way https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_ipfilter_section is working. First I'd like to clarify that Firewall is enabled at DC, Server and VM level.
VM firewall options:


Focusing on the /etc/pve/firewall# cat 584.fw output/settings:
If I have this firewall config, then vm will still be able to set any IP at their network interface such as 95.12.124.156 and get traffic from it:

/etc/pve/firewall# cat 584.fw
[OPTIONS]

enable: 1
policy_out: ACCEPT
ipfilter: 1
policy_in: ACCEPT

[IPSET ipfilter-net0]

95.12.124.154 # Assigned
::1 # Interface with no v6 IPs

I managed to get IP filtering to work by setting "policy_in: DROP" and then adding a firewall rule that would only allow traffic from the IPSET ipfilter-net0. But surely this should not be required?

/etc/pve/firewall# cat 584.fw
[OPTIONS]
enable: 1
policy_out: ACCEPT
ipfilter: 1
policy_in: DROP

[IPSET ipfilter-net0]

95.12.124.154 # Assigned
::1 # Interface with no v6 IPs

[RULES]

IN ACCEPT -dest +guest/ipfilter-net0 -log nolog

VM is set to use vmbr0 as bridge and I have this network config at my proxmox install:

/etc/network# cat interfaces
auto lo
iface lo inet loopback

iface enp67s0f1np1 inet manual
    mtu 9000

iface enp67s0f0np0 inet manual
    mtu 9000

auto bond0
iface bond0 inet manual
    bond-slaves enp67s0f0np0 enp67s0f1np1
    bond-mode 802.3ad
    bond-miimon 100
    bond-downdelay 200
    bond-updelay 200
    bond-lacp-rate 1
    mtu 9000

auto vmbr0
iface vmbr0 inet manual
    mtu 9000
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
    address 95.12.124.9/24
    gateway 95.12.124.1
    vlan-raw-device bond0
    bridge_vlan_aware yes
    bridge-vids 1000 500

iface vmbr0 inet6 manual
    mtu 9000
    bridge-ports bond0
    bridge-stp off
    bridge-fd 0
    address 2001:241::9/36
    gateway 2001:241::1
    vlan-raw-device bond0
    bridge_vlan_aware yes
    bridge-vids 1000 500

auto vmbr0.500
iface vmbr0.500 inet static
    mtu 9000
    address 10.0.0.9/24
    gateway 10.0.0.1
    vlan-raw-device bond0

auto vmbr0.1000
iface vmbr0.1000 inet manual
    vlan-raw-device vmbr0

source /etc/network/interfaces.d/*

I need help fixing / understanding why ipfilter is not working on my proxmox server.

Many thanks!

 

[shanreich]

IP Filtering only applies to outgoing traffic:

These filters belong to a VM’s network interface and are mainly used to prevent IP spoofing. If such a set exists for an interface then any outgoing traffic with a source IP not matching its interface’s corresponding ipfilter set will be dropped.

 

[David123]

IP Filtering only applies to outgoing traffic:

Okay thanks for information!

 

[Noah148]

Hey, It seems like ipfilter is working, but it requires this additional step with the rule to block traffic outside assigned IPs, The default firewall setting policy_in: ACCEPT allows everything, so after switching to DROP, you need to add a rule allowing the correct traffic.Also, I recommend double-checking if all addresses are properly assigned in ipset, Let me know if you need further help with the config!