My proxmox Firewall configuration it's OK?

[openaspace]

I would ask if this Proxmox firewall configuration is correct.
Any help?

enp4s0 = proxmox host public ip
vmbr0 = Pfsense Public Ip (hetzner virtual mac address - promox firewall disabled)
vmbr1 = private lan (by pfsense - proxmox firewall disabled)

Rules:

• Accept any IN TCP/UDP connection to PFSENSE firewall
• Accept IN proxomox port and ssh host from my Office stati IP
• Allow OUT from vmbr0 interfaces (pfsense public ip)

 

[spirit]

datacenter/host rules only apply to your management ip of your host.

vm rules only apply to vm.

So if you don't need proxmox firewall on pfense, simply don't enable it, and you don't need to make any rules.
and if you need to filter your proxmox management ip, simply create rules at datacenter or host level.

 

[openaspace]

Really thank you spirit.

I see that the proxmox host from a zenmap scan (from not my static ip( is completely closed.
Logs in the firewall logs show traffic direct to the host ip bridge vmbr0
and I'm little insecure about my network configuration.

enp4s0 = network card that in the system report the public ip that in proxmox networkconfiguration don't have any ip setup.
vmbr0 = bridge to enp4s0 that i have created with the same ip public of enp4s0 - In the WAN interfaces in Pfsense VM is the vmbr0 with manual setup of second Public Ip (hetzner virtual ip and mac address - promox firewall disabled)
vmbr1 = private lan 192.168.30.0 (by pfsense - proxmox firewall disabled)

It's correct the logic of the setup of my proxmox network?

Thank you.

0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:09 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=6834 PROTO=TCP SPT=46768 DPT=881 SEQ=1507051902 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:19 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=250 ID=61231 PROTO=TCP SPT=46525 DPT=56106 SEQ=270460088 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:45 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=54321 PROTO=TCP SPT=57058 DPT=81 SEQ=4290885016 ACK=0 WINDOW=65535 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:36:49 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS0 SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=44 TOS=0x00 PREC=0x00 TTL=232 ID=0 DF PROTO=TCP SPT=9999 DPT=110 SEQ=746295584 ACK=0 WINDOW=65535 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:37:51 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=61148 PROTO=TCP SPT=41466 DPT=2302 SEQ=704984735 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:37:51 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=38912 PROTO=TCP SPT=47283 DPT=38951 SEQ=1787744410 ACK=0 WINDOW=1024 SYN

0 1 PVEFW-HOST-IN 27/Sep/2019:13:37:52 +0200 IN=vmbr0 PHYSIN=enp4s0 MAC=REMOTE-MAC-ADDRESS SRC=REMOTEIP DST=PROXMOX-HOST-IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=28585 PROTO=TCP SPT=46768 DPT=6 SEQ=13811474 ACK=0 WINDOW=1024 SYN

Why I see the "IN"=vmbr0? shouldn't be DROP? (are simples port scan?)

I wouldn't know here how to offer you a glass of wine as a symbolic thank you

 

[openaspace]

from ifconfig:

auto lo
iface lo inet loopback

auto enp4s0
iface enp4s0 inet manual

auto vmbr0
iface vmbr0 inet static
address PUBLIC_IP (identical to the enp4s0)
netmask 24
gateway PUBLIC_GATEWAY
bridge-ports enp4s0
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

auto vmbr1
iface vmbr1 inet static
address 192.168.30.1 (pfsense private lan)
netmask 24
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094

 

[spirit]

Why I see the "IN"=vmbr0? shouldn't be DROP? (are simples port scan?)

on your rules screenshot, rules 3/4 , you accept any tcp/udp for inbound traffic on vmbr0 (so, to the admin ip address confgured on vmbr0).