Pings/Web iface requests continue to pass through despite DC FW "ON"

N

N0AGI

Member
Apr 6, 2021
32
2
13
DFW, Texas, USA.
n0agi.com
hi Proxmox community team,
I had originally posted this to this post - but, later realized it was marked as "solved". Therefore starting a new post w/ my scenario.

Summary:
  • Server is on 8.2.4, net new setup
  • Server is on LAN and has public facing web iface via nginx proxy and hostname (may not be relevant to this issue, but sharing in case)
  • DC FW is ON, No DC FW rules
  • Node FW is OFF, No Node FW rules other than the OOB factory defaults.
Despite the DC FW being ON...
  • I am still able to ping the server from a LAN attached PC.
  • I am still able to open the web iface
Question:
  1. when the DC FW is ON, it should block ALL traffic across all nodes w/i that DC despite the individual Nodes' FW is OFF - am I correct?

please see screenshots - thanks in advance for any insights.
 

Attachments

  • pve-fw-1.png
    pve-fw-1.png
    44.2 KB · Views: 4
  • pve-fw-2.png
    pve-fw-2.png
    52.6 KB · Views: 4
  • pve-fw-3.png
    pve-fw-3.png
    60.6 KB · Views: 3
  • pve-fw-4.png
    pve-fw-4.png
    61.8 KB · Views: 4
It's the other way around: DC level FW must be ON so the firewall is applied to every host and VM's network interface that have firewall ON. If you want firewall to apply to a PVE host, you need FW ON both at DC and host level.
 
  • Like
Reactions: N0AGI
You must log in or register to reply here.
Top Bottom