Pings/Web iface requests continue to pass through despite DC FW "ON"

[N0AGI]

hi Proxmox community team,
I had originally posted this to this post - but, later realized it was marked as "solved". Therefore starting a new post w/ my scenario.

Summary:

• Server is on 8.2.4, net new setup
• Server is on LAN and has public facing web iface via nginx proxy and hostname (may not be relevant to this issue, but sharing in case)
• DC FW is ON, No DC FW rules
• Node FW is OFF, No Node FW rules other than the OOB factory defaults.

Despite the DC FW being ON...

• I am still able to ping the server from a LAN attached PC.
• I am still able to open the web iface

Question:

1. when the DC FW is ON, it should block ALL traffic across all nodes w/i that DC despite the individual Nodes' FW is OFF - am I correct?

please see screenshots - thanks in advance for any insights.

 

[VictorSTS]

It's the other way around: DC level FW must be ON so the firewall is applied to every host and VM's network interface that have firewall ON. If you want firewall to apply to a PVE host, you need FW ON both at DC and host level.

 

[N0AGI]

It's the other way around: DC level FW must be ON so the firewall is applied to every host and VM's network interface that have firewall ON. If you want firewall to apply to a PVE host, you need FW ON both at DC and host level.

Thank you