My proxmox Firewall configuration it's OK?

openaspace

Active Member
Sep 16, 2019
486
13
38
Italy
I would ask if this Proxmox firewall configuration is correct.
Any help?

enp4s0 = proxmox host public ip
vmbr0 = Pfsense Public Ip (hetzner virtual mac address - promox firewall disabled)
vmbr1 = private lan (by pfsense - proxmox firewall disabled)

Rules:
  • Accept any IN TCP/UDP connection to PFSENSE firewall
  • Accept IN proxomox port and ssh host from my Office stati IP
  • Allow OUT from vmbr0 interfaces (pfsense public ip)
v3 - Proxmox Virtual Environment (3).png

v3 - Proxmox Virtual Environment (6).png
 
Last edited:
datacenter/host rules only apply to your management ip of your host.

vm rules only apply to vm.

So if you don't need proxmox firewall on pfense, simply don't enable it, and you don't need to make any rules.
and if you need to filter your proxmox management ip, simply create rules at datacenter or host level.
 
Really thank you spirit.

I see that the proxmox host from a zenmap scan (from not my static ip( is completely closed.
Logs in the firewall logs show traffic direct to the host ip bridge vmbr0
and I'm little insecure about my network configuration.

enp4s0 = network card that in the system report the public ip that in proxmox networkconfiguration don't have any ip setup.
vmbr0 = bridge to enp4s0 that i have created with the same ip public of enp4s0 - In the WAN interfaces in Pfsense VM is the vmbr0 with manual setup of second Public Ip (hetzner virtual ip and mac address - promox firewall disabled)
vmbr1 = private lan 192.168.30.0 (by pfsense - proxmox firewall disabled)

It's correct the logic of the setup of my proxmox network?

Thank you.

Code:
0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:09 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=6834 PROTO=TCP SPT=46768 DPT=881 SEQ=1507051902 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:19 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=61231 PROTO=TCP SPT=46525 DPT=56106 SEQ=270460088 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:45 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=TCP SPT=57058 DPT=81 SEQ=4290885016 ACK=0 WINDOW=65535 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:49 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS0 SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=44 TOS=0x00 PREC=0x00 TTL=232 ID=0 DF PROTO=TCP SPT=9999 DPT=110 SEQ=746295584 ACK=0 WINDOW=65535 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:37:51 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=61148 PROTO=TCP SPT=41466 DPT=2302 SEQ=704984735 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:37:51 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=38912 PROTO=TCP SPT=47283 DPT=38951 SEQ=1787744410 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:37:52 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=28585 PROTO=TCP SPT=46768 DPT=6 SEQ=13811474 ACK=0 WINDOW=1024 SYN

Why I see the "IN"=vmbr0? shouldn't be DROP? (are simples port scan?)

I wouldn't know here how to offer you a glass of wine as a symbolic thank you :)
 
Last edited:
from ifconfig:

auto lo
iface lo inet loopback

auto enp4s0
iface enp4s0 inet manual

auto vmbr0
iface vmbr0 inet static
address PUBLIC_IP (identical to the enp4s0)
netmask 24
gateway PUBLIC_GATEWAY
bridge-ports enp4s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet static
address 192.168.30.1 (pfsense private lan)
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!