Proxmox 3.4 firewall default rules - local_network

F

flav

New Member
Mar 12, 2015
11
0
1
Hi,

I'm setting up a new Proxmox 3.4 cluster/host with pve-firewall.

The firewall has some default rules allowing all the host's local network. That network is public.

My host IP is 1.2.3.4 on network 1.2.3.0/24

Here are the rules
Chain PVEFW-HOST-IN:
RETURN udp -- 1.2.3.0/24 1.2.3.0/24 udp dpts:5404:5405
RETURN udp -- 1.2.3.0/24 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405

Chain PVEFW-HOST-OUT:
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpt:8006
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpt:22
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpts:5900:5999
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpt:3128
RETURN udp -- 0.0.0.0/0 1.2.3.0/24 udp dpts:5404:5405

I have defined in my cluster:
[ALIASES]
local_network 1.2.3.4 # use the single ip addressand:
[IPSET management]
x.y.z.w # some ip address

How to get rid of this rules?

Regards
 
The rules are required for proper cluster operation, but you can add rules to block that traffic if you do not run a cluster.
 
Hello,

Yes sure... but not all the network belongs to the cluster and local_network alias should be allowed to user control.

What I propose is a patch like this in enable_host_firewall:
Code: 
*** Firewall.pm.orig    2015-03-15 11:26:34.000000000 +0100
--- Firewall.pm 2015-03-15 11:44:33.000000000 +0100
***************
*** 2100,2106 ****
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     my $localnet = local_network();

      # corosync
      if ($localnet) {
--- 2100,2113 ----
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     # Check if localnet is defined or calculates it
!     my $localnet;
!     if ($cluster_conf->{aliases}->{local_network}) {
!         $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
!     } else {
!         $localnet = local_network() || '127.0.0.0/8';
!         $cluster_conf->{aliases}->{local_network} = { cidr => $localnet };
!     }

      # corosync
      if ($localnet) {

Or even more simple
Code: 
my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
Because the alias is already set (if not defined) in compile_iptables_filter which calls enable_host_firewall.

Regards,
Flav
 
flav said:
Yes sure... but not all the network belongs to the cluster and local_network alias should be allowed to user control.
Click to expand...

The alias is under control of the user - we just set reasonable defaults.

The OUT rules really does not harms - or what do you want to avoid by blocking them?

Or maybe the rules to allow cororync udp traffic are dangerous? I guess not, because those ports
are not used when you do not run a cluster.

Please can you explain why you think this is unsafe?

We could add a flag to enable/disable those default rules if required.
 
Just a reminder for the following. The host 1.2.3.4 is in an unsecured 1.2.3.0/24 network.

dietmar said:
The alias is under control of the user - we just set reasonable defaults.
Click to expand...
The user controled alias is not taken into account for all the rules. The code without my correction does not reads the local_network alias in enable_host_firewall (it is set by my $localnet = local_network();).

dietmar said:
The OUT rules really does not harms - or what do you want to avoid by blocking them?
Click to expand...
In a proper firewall the default output policy is DENY (for example in the PCI/DSS security standards). The output rules (as for the moment they are not takeing into account the user defined allias) will allow someone who gained access to the server to easilly send data to a host in the 1.2.3.0/24 network.

dietmar said:
Or maybe the rules to allow cororync udp traffic are dangerous? I guess not, because those ports
are not used when you do not run a cluster.

Please can you explain why you think this is unsafe?
Click to expand...
I will run a cluster. But I do not controll all the hosts in 1.2.3.0/24 network. So anybody in 1.2.3.0/24 will have access to corosync.

dietmar said:
We could add a flag to enable/disable those default rules if required.
Click to expand...

All that I need is that local_network alias is used if defined. Sure such a flag could be usefull but you should to check with other users.

For me I'm happy with this patch:
Code: 
*** Firewall.pm.orig    2015-03-15 11:26:34.000000000 +0100
--- Firewall.pm 2015-03-15 12:11:46.000000000 +0100
***************
*** 2100,2106 ****
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     my $localnet = local_network();

      # corosync
      if ($localnet) {
--- 2100,2107 ----
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     # Gets the localnet already calculated in compile_iptables_filter
!     my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};

      # corosync
      if ($localnet) {
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back