misunderstanding Firewall

[Sylvain2000]

Hello, I'm discovering Proxmox and I think I might be misunderstanding the Proxmox firewall, at least the zones.

In my understanding, rules applied to the datacenter zone are replicated onto the nodes and the VMs within those nodes. For example, if we allow ping, then ping will be allowed on all nodes and all VMs (where the firewall is enabled).

The nodes zone replicates onto the Proxmox Virtual Environment (PVE) and the VMs within that PVE (where the firewall is enabled).

The VM zone only operates on the VMs.

is that correct or i wrong ?

Thank you for your help. I'm struggling.

 

[_gabriel]

rules applied to the datacenter zone are replicated onto the nodes and the VMs within those nodes

VM and LXC have their own rules not inherited from datacenter or node/host rules.
https://forum.proxmox.com/threads/differences-between-firewall-level.24115/post-121170

 

[Sylvain2000]

ok so datacenter rules are replicated on all nodes but not vm's and rules on nodes are applied only for this nodes and not its vm's.

 

[Dunuin]

ok so datacenter rules are replicated on all nodes but not vm's and rules on nodes are applied only for this nodes and not its vm's.

Correct.

 

[Sylvain2000]

Thanks, and last question, yesterday I tested the firewall a bit. I set a rule on the data center to allow port 8006 and activated the firewall on the nodes and my VM. After that, I couldn't access the console of my VM anymore. Do I need to allow something to regain access? I thought the console was allowed by default in the anti-lockout rules.

 

[Dunuin]

I thought the console was allowed by default in the anti-lockout rules.

Yes, but would help if you could show your actual firewall rules. Anti.lockout rules will be overwritten by rules your create. So if you for example create a rule to allow port 8006 and then a rule to block everything this will also prevent those anti-lockout rules from working.
See here for default ports: https://pve.proxmox.com/wiki/Firewall#pve_firewall_default_rules

 

[Sylvain2000]

I won't have access to my servers until Tuesday, but here are some screenshots I took. First screen is on the datacenter allow 5900:5999 and mangement . Second is on pve i was trying to allow spice.The third screenshot shows the error I encountered on my VM. It won't open Spice, and it tells me that it can't connect to the console. (It works when the data center firewall is turned off.)


and management

 

[Sylvain2000]

The order of my screenshots has changed, so it's the error first, then the data center(The smallest screenshot) , and finally the PVE.

 

[_gabriel]

be careful in flooding the forum.
users answers on their freetime.
if you need fast answers, buy support subscription.

 

[Sylvain2000]

be careful in flooding the forum.
users answers on their freetime.
if you need fast answers, buy support subscription.

m not asking for a quick response, I'm just explaining my issue.

 

[_gabriel]

I mean your others threads as etu nickname ...

 

[Sylvain2000]

i tried to delete but didnt find how