Multiple firewalls

[fox95]

I have prmx running behind a pfsense machine.

On prmx I am running a Ubuntu server for a web site and a few other vms

My question:

Why are there so many fire walls?

There’s one for the data center, then one for the node, then you can enable a firewall for each vm.

Whats the best practice here? Enable them all?

Leave them off and leave the pfsense box to take care of it?

It’s a bit convoluted making all these firewall rules for each one and then you can even enable a firewall within the vm os itself ie. ufw on Ubuntu or windows firewall inside it’s os

Thanks for your suggestions on setting them all up correctly.

 

[JKL213]

I have a pfSense box too. For the actual "high security" machines, I do all 3 firewalls (sometimes). Meaning VM native firewall, PVE firewall and pfSense firewall.
Debugging can be a bit finnicky with these, but it's OK as of now.

 

[louie1961]

I think it depends on your use cases. I really don't rely on the Proxmox firewalls at all since I have segmented my network and handle all the inter VLAN routing in Proxmox. I also don't have to protect against unauthorized access from behind pfSense, since I am the only user. You could in theory lock use the firewall to simply lock down admin access to Proxmox itself or a VM from people inside the pfSense firewall.

 

[tplz]

I have prmx running behind a pfsense machine.

On prmx I am running a Ubuntu server for a web site and a few other vms

My question:

Why are there so many fire walls?

There’s one for the data center, then one for the node, then you can enable a firewall for each vm.

Whats the best practice here? Enable them all?

Leave them off and leave the pfsense box to take care of it?

It’s a bit convoluted making all these firewall rules for each one and then you can even enable a firewall within the vm os itself ie. ufw on Ubuntu or windows firewall inside it’s os

Thanks for your suggestions on setting them all up correctly.

I believe it's for flexibility. I'd imagine there are some corporate/enterprise use-cases where they are good to have. If each VM is capable and configured to handle its own firewalling, you don't need to use either the datacenter or node firewall. If you don't need them, I'd recommend not using them just for complexities sake.

 

[fox95]

I have a pfSense box too. For the actual "high security" machines, I do all 3 firewalls (sometimes). Meaning VM native firewall, PVE firewall and pfSense firewall.
Debugging can be a bit finnicky with these, but it's OK as of now.

Cool, i kinda figured as much. Yes getting things to work is a bit tricky. I was trying to have them all enabled but I'm having some issues with port forwarding and being able to get to the web site through pfsense.

a feature recommendation for prmx that i think would be helpful is: when making a change to update to the fire wall rules or firewall settings that it automatically gets updated. I find when I'm experimenting that i have to constantly go back to the shell and restart the firewall if somethings changed. Maybe there's another way around this?

PS, a bit of a tangent here, but, I have a windows 10 vm running and for the life of me i cannot RDP to it from another machine within the local lan network. (even with all the firewalls disabled) but if im working inside the said win 10 vm I can RDP out from it to any machine on the local lan.

thanks for everyone's input. its appreciated