Is It Best Practice To Use Proxmox Firewall or Firewall In VM?

Jay Quin

New Member
Jul 26, 2018
6
2
3
@guletz. I never said a firewall would protect you if you use a bad service configuration. And @mayhurst a firewall is basically one more step in protection. No matter what you do there is always a chance of being hacked if you have open ports. With some of the large botnets on the internet it is impossible to completely protect any server. Even if you have Fail2Ban, snort or some other type of IDS you can still get hacked. The botnet can simply try every username and password combination and when one PC in the botnet gets blocked the botnet would just switch PCs. Most likely the botnet would only try a few combinations from each PC in the botnet to prevent any one getting blocked by something like Fail2Ban.

A firewall gives you increased security. Especially a well defined firewall like pfSense. Yes almost every security feature you can set in pfSense you can also do on your server, but it's easier with pfSense and you are looking for easy. Here are a few benefits:
  1. pfBlockerNG - you can easily download lists of known malicious IP addresses (including botnets) and block them on the firewall to prevent them from every reaching your server. pfBlockerNG can be set to automatically download and apply the lists at specific intervals (i.e. every hour or day).
  2. pfBlockerNG - If you don't travel outside your own country you can set a rule using GeoIP to only allow IP addresses from your country. Or if that is too restrictive you can just block the countries where most attacks come from.
  3. snort/suricata - you can set snort so it automatically blocks attacks from IP addresses that match signatures in it's rules lists. Unlike Fail2Ban which only blocks more than a few invalid login attempts. You can even set snort/suricata or pfBlockerNG to automatically block ranges of IP addresses if too many attacks occur from IP addresses in that range (i.e. the Reputation features, haven't tried this myself yet).
  4. pfSense - you can easily block IP addresses that are spoofed from private IPs or bogons (IP addresses that have not been assigned to anyone).
There are more benefits that I haven't listed. And again you can do this with any Linux or BSD distro, but pfSense makes it much easier to not only setup but to maintain it.

Maybe I'm not explaining this well. I was attempting to explain before when I said a firewall in front of your server is better than your server directly on the internet. A server is meant to designed to allow people to connect to it. A firewall like pfSense is designed to prevent people from connecting. Yes you open the ports from through your firewall to your server so the server can still be attacked through those ports, but with a firewall you can more easily limit the attack surface.

Plus because pfSense is designed to be a firewall and ONLY a firewall, every update is scrutinized to be as secure as possible. Now I'm not says that updates to your Linux Distro are not secure. That would be stupid. What I'm saying is the more software you have on the server that is directly connected to the internet the more likely an update will have a vulnerability that someone can exploit. This is basic security practices. It's why you limit what you install on your server. With a firewall in front of your server than at least you know that your server can ONLY be attacked through those ports AND only through IP addresses that the firewall allows.

It's your decision whether you put a firewall in front of your server. You are the one that has to setup and maintain both the server and the firewall if you decide to set one up. I'm just trying to tell you what I would do in your place and how I would set it up. Truthfully, unless the server was for a large number of people I would put it behind a VPN server. I have my pfSense OpenVPN server setup so my remote clients can not only use the servers in my house, but can also use the internet taking advantage of things like pfBlockerNG and snort. I just leave my OpenVPN client running when I'm away from home. I figure when I'm remote I'm usually on a wifi network I don't trust so I prefer to use a VPN to protect my traffic anyway.

I know I'm overzealous when it comes to security. But before I was disabled I was a consultant that dealt with all kinds of client issues from all out attacks to simple user error. I've seen too many horror stories to not go all out on security and backups.

@gulets I know security is not a tool. It's about defense in-depth. Having multiple layers of defense. It's not a matter of if you will be attacked it's a matter of when!
 
  • Like
Reactions: jusle and guletz

guletz

Famous Member
Apr 19, 2017
1,584
260
103
Brasov, Romania
Hi

No software like a webserver running on it so it's a lot harder to break into. Yes if the webserver was behind a firewall it could still be hacked but I believe it would be a lot safer.

The rest it is ok. Your last post is more clear in this matter, and I agree with them.

Any firewall do not make a network service(open in Internet) more safer as it is. A firewall only lower the attack surface,
and nothing more.
 

Rhinox

Active Member
Sep 28, 2016
272
38
28
32
Any firewall do not make a network service(open in Internet) more safer as it is. A firewall only lower the attack surface, and nothing more.
Have you ever heard of "application firewall"?
If you have, then you know how badly you are wrong...
 

guletz

Famous Member
Apr 19, 2017
1,584
260
103
Brasov, Romania
Have you ever heard of "application firewall"?
If you have, then you know how badly you are wrong...

My posts was not about L7 / app firewall. And yes, I know that a such kind of app firewall can be used to avoid some kinds of attacks.

The initiator of this post has start to ask about a non-L7 firewall like iptables. What I said was regarding this more/less ;)
 
Last edited:

Rhinox

Active Member
Sep 28, 2016
272
38
28
32
Your answer was about (sic) "Any firewall". BTW, even if we consider only packet filters, you are still wrong because IPtables can do DPI too (although not so effective as app-firewall due to packet fragmentation). Based on the content of the packet it can decide if it lets packet pass, or not...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!