Is It Best Practice To Use Proxmox Firewall or Firewall In VM?

[Jay Quin]

@guletz. I never said a firewall would protect you if you use a bad service configuration. And @mayhurst a firewall is basically one more step in protection. No matter what you do there is always a chance of being hacked if you have open ports. With some of the large botnets on the internet it is impossible to completely protect any server. Even if you have Fail2Ban, snort or some other type of IDS you can still get hacked. The botnet can simply try every username and password combination and when one PC in the botnet gets blocked the botnet would just switch PCs. Most likely the botnet would only try a few combinations from each PC in the botnet to prevent any one getting blocked by something like Fail2Ban.

A firewall gives you increased security. Especially a well defined firewall like pfSense. Yes almost every security feature you can set in pfSense you can also do on your server, but it's easier with pfSense and you are looking for easy. Here are a few benefits:

1. pfBlockerNG - you can easily download lists of known malicious IP addresses (including botnets) and block them on the firewall to prevent them from every reaching your server. pfBlockerNG can be set to automatically download and apply the lists at specific intervals (i.e. every hour or day).
2. pfBlockerNG - If you don't travel outside your own country you can set a rule using GeoIP to only allow IP addresses from your country. Or if that is too restrictive you can just block the countries where most attacks come from.
3. snort/suricata - you can set snort so it automatically blocks attacks from IP addresses that match signatures in it's rules lists. Unlike Fail2Ban which only blocks more than a few invalid login attempts. You can even set snort/suricata or pfBlockerNG to automatically block ranges of IP addresses if too many attacks occur from IP addresses in that range (i.e. the Reputation features, haven't tried this myself yet).
4. pfSense - you can easily block IP addresses that are spoofed from private IPs or bogons (IP addresses that have not been assigned to anyone).

There are more benefits that I haven't listed. And again you can do this with any Linux or BSD distro, but pfSense makes it much easier to not only setup but to maintain it.

Maybe I'm not explaining this well. I was attempting to explain before when I said a firewall in front of your server is better than your server directly on the internet. A server is meant to designed to allow people to connect to it. A firewall like pfSense is designed to prevent people from connecting. Yes you open the ports from through your firewall to your server so the server can still be attacked through those ports, but with a firewall you can more easily limit the attack surface.

Plus because pfSense is designed to be a firewall and ONLY a firewall, every update is scrutinized to be as secure as possible. Now I'm not says that updates to your Linux Distro are not secure. That would be stupid. What I'm saying is the more software you have on the server that is directly connected to the internet the more likely an update will have a vulnerability that someone can exploit. This is basic security practices. It's why you limit what you install on your server. With a firewall in front of your server than at least you know that your server can ONLY be attacked through those ports AND only through IP addresses that the firewall allows.

It's your decision whether you put a firewall in front of your server. You are the one that has to setup and maintain both the server and the firewall if you decide to set one up. I'm just trying to tell you what I would do in your place and how I would set it up. Truthfully, unless the server was for a large number of people I would put it behind a VPN server. I have my pfSense OpenVPN server setup so my remote clients can not only use the servers in my house, but can also use the internet taking advantage of things like pfBlockerNG and snort. I just leave my OpenVPN client running when I'm away from home. I figure when I'm remote I'm usually on a wifi network I don't trust so I prefer to use a VPN to protect my traffic anyway.

I know I'm overzealous when it comes to security. But before I was disabled I was a consultant that dealt with all kinds of client issues from all out attacks to simple user error. I've seen too many horror stories to not go all out on security and backups.

@gulets I know security is not a tool. It's about defense in-depth. Having multiple layers of defense. It's not a matter of if you will be attacked it's a matter of when!

 

[guletz]

Hi

No software like a webserver running on it so it's a lot harder to break into. Yes if the webserver was behind a firewall it could still be hacked but I believe it would be a lot safer.

The rest it is ok. Your last post is more clear in this matter, and I agree with them.

Any firewall do not make a network service(open in Internet) more safer as it is. A firewall only lower the attack surface,
and nothing more.

 

[Rhinox]

Any firewall do not make a network service(open in Internet) more safer as it is. A firewall only lower the attack surface, and nothing more.

Have you ever heard of "application firewall"?
If you have, then you know how badly you are wrong...

 

[guletz]

Have you ever heard of "application firewall"?
If you have, then you know how badly you are wrong...

My posts was not about L7 / app firewall. And yes, I know that a such kind of app firewall can be used to avoid some kinds of attacks.

The initiator of this post has start to ask about a non-L7 firewall like iptables. What I said was regarding this more/less

 

[Rhinox]

Your answer was about (sic) "Any firewall". BTW, even if we consider only packet filters, you are still wrong because IPtables can do DPI too (although not so effective as app-firewall due to packet fragmentation). Based on the content of the packet it can decide if it lets packet pass, or not...

 

[guletz]

OK!

 

[Afox]

And how about performance? Proxmox Firewall vs. OPNSense/pfSense VM for example.

 

[LnxBil]

And how about performance? Proxmox Firewall vs. OPNSense/pfSense VM for example.

Performance as in packages/second? PVE is faster, the packages do not have to leave the hypervisor kernel and be copied around. You also cannot filter each VM with *sense, unless you build ridiculous network setups.

 

[mhayhurst]

Performance as in packages/second? PVE is faster, the packages do not have to leave the hypervisor kernel and be copied around. You also cannot filter each VM with *sense, unless you build ridiculous network setups.

I run pfSense as a VM on PVE as my main firewall, been doing this for years and it works great. I create VLANs for my VMs if needed and setup the firewall rules in pfSense.

 

[LnxBil]

I run pfSense as a VM on PVE as my main firewall, been doing this for years and it works great. I create VLANs for my VMs if needed and setup the firewall rules in pfSense.

... and that is totally fine. PVE really shines on a per VM basis. I have hundreds of VMs, each one with its own firewall in PVE ... in addition to my main firewall for my network and all gateways to other network segments.

 

[Afox]

What would the topology look like if you use an OPNSense/pfSense VM as main firewall for all VMs? What if a VM has a public IP and you want their traffic to be filtered by the *sense firewall?

 

[LnxBil]

What would the topology look like if you use an OPNSense/pfSense VM as main firewall for all VMs? What if a VM has a public IP and you want their traffic to be filtered by the *sense firewall?

You need to create a bridge for each VM you want to firewall over the *sense firewall. This is alot of networking for a simple VM firewall. You need one per VM because you don't want two VMs on one bridge talk to each other without the traffic filtered by the *sense.