Hi everyone,
I am trying to grant access to the Proxmox node via SSH based on some ACCEPT firewall rules on the node level on this single host setup.
What already worked have been the following two rules referencing previously defined Aliases:
Aliases:
FW-Rules:
Since this looked like a redundancy issue I will have with other interfaces as well (WebUI/API, PBS, ...), I wanted to go ahead and group those two aliases to a reusable IpSet on Datacenter level:
Subsequently I replaced the former two rules to allow SSH-access with a single rule referencing the IpSet:
The issue is, now SSH access doesn't work anymore from neither of the both Aliases (one is a single host, the other being a network segment).
Any idea what I am missing?
Am I misunderstanding the purpose or functionality of IpSets?
--- EDIT ---
Experimented a little bit more today: creating the IpSet based on plain CIDR notation instead of referencing Aliases works fine.
1. Not Working:
2. Working:
Can Aliases NOT be used to define an IpSet? Why is the UI prompting me to do so?
-- EDIT END ---
Attached the cluster.fw and host.fw contents:
cluster.fw
host.fw:
I am trying to grant access to the Proxmox node via SSH based on some ACCEPT firewall rules on the node level on this single host setup.
What already worked have been the following two rules referencing previously defined Aliases:
Aliases:
FW-Rules:
Since this looked like a redundancy issue I will have with other interfaces as well (WebUI/API, PBS, ...), I wanted to go ahead and group those two aliases to a reusable IpSet on Datacenter level:
Subsequently I replaced the former two rules to allow SSH-access with a single rule referencing the IpSet:
The issue is, now SSH access doesn't work anymore from neither of the both Aliases (one is a single host, the other being a network segment).
Any idea what I am missing?
Am I misunderstanding the purpose or functionality of IpSets?
--- EDIT ---
Experimented a little bit more today: creating the IpSet based on plain CIDR notation instead of referencing Aliases works fine.
1. Not Working:
2. Working:
Can Aliases NOT be used to define an IpSet? Why is the UI prompting me to do so?
-- EDIT END ---
Attached the cluster.fw and host.fw contents:
cluster.fw
Bash:
root@pve-dev01:~# cat /etc/pve/firewall/cluster.fw
[OPTIONS]
enable: 1
[ALIASES]
c4t-services 172.21.96.160/27 # C4T-Services SSN network segment
tmussnadmin 10.0.13.126/24 # JumpHost from R&S Networks to SSN
[IPSET developeraccess] # Host/Networks used for management purposes
dc/c4t-services
dc/tmussnadmin
[RULES]
IN ACCEPT -log nologhost.fw:
Bash:
root@pve-dev01:/etc/pve/nodes/pve-dev01# cat host.fw
[OPTIONS]
enable: 1
[RULES]
IN SSH(ACCEPT) -source +dc/developeraccess -log nolog
IN ACCEPT -source dc/c4t-services -p tcp -dport 8006 -log nolog # Allow API/UI Proxmox Server from C4T-Services network
IN ACCEPT -source dc/tmussnadmin -p tcp -dport 8006 -log nolog # Allow API/UI Proxmox Server from TMUSSNADMIN
IN ACCEPT -source dc/c4t-services -p tcp -dport 8007 -log nolog # Allow API/UI Proxmox Backup Server from C4T-Services network
IN ACCEPT -source dc/tmussnadmin -p tcp -dport 8007 -log nolog # Allow API/UI Proxmox Backup Server from TMUSSNADMIN
IN DROP -log info
Last edited: