Proxmox 3.4 firewall default rules - local_network

flav

New Member
Mar 12, 2015
11
0
1
Hi,

I'm setting up a new Proxmox 3.4 cluster/host with pve-firewall.

The firewall has some default rules allowing all the host's local network. That network is public.

My host IP is 1.2.3.4 on network 1.2.3.0/24

Here are the rules
Chain PVEFW-HOST-IN:
RETURN udp -- 1.2.3.0/24 1.2.3.0/24 udp dpts:5404:5405
RETURN udp -- 1.2.3.0/24 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST udp dpts:5404:5405

Chain PVEFW-HOST-OUT:
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpt:8006
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpt:22
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpts:5900:5999
RETURN tcp -- 0.0.0.0/0 1.2.3.0/24 tcp dpt:3128
RETURN udp -- 0.0.0.0/0 1.2.3.0/24 udp dpts:5404:5405

I have defined in my cluster:
[ALIASES]
local_network 1.2.3.4 # use the single ip addressand:
[IPSET management]
x.y.z.w # some ip address

How to get rid of this rules?

Regards
 
The rules are required for proper cluster operation, but you can add rules to block that traffic if you do not run a cluster.
 
Hello,

Yes sure... but not all the network belongs to the cluster and local_network alias should be allowed to user control.

What I propose is a patch like this in enable_host_firewall:
Code:
*** Firewall.pm.orig    2015-03-15 11:26:34.000000000 +0100
--- Firewall.pm 2015-03-15 11:44:33.000000000 +0100
***************
*** 2100,2106 ****
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     my $localnet = local_network();

      # corosync
      if ($localnet) {
--- 2100,2113 ----
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     # Check if localnet is defined or calculates it
!     my $localnet;
!     if ($cluster_conf->{aliases}->{local_network}) {
!         $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
!     } else {
!         $localnet = local_network() || '127.0.0.0/8';
!         $cluster_conf->{aliases}->{local_network} = { cidr => $localnet };
!     }

      # corosync
      if ($localnet) {

Or even more simple
Code:
my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};
Because the alias is already set (if not defined) in compile_iptables_filter which calls enable_host_firewall.

Regards,
Flav
 
Yes sure... but not all the network belongs to the cluster and local_network alias should be allowed to user control.

The alias is under control of the user - we just set reasonable defaults.

The OUT rules really does not harms - or what do you want to avoid by blocking them?

Or maybe the rules to allow cororync udp traffic are dangerous? I guess not, because those ports
are not used when you do not run a cluster.

Please can you explain why you think this is unsafe?

We could add a flag to enable/disable those default rules if required.
 
Just a reminder for the following. The host 1.2.3.4 is in an unsecured 1.2.3.0/24 network.

The alias is under control of the user - we just set reasonable defaults.
The user controled alias is not taken into account for all the rules. The code without my correction does not reads the local_network alias in enable_host_firewall (it is set by my $localnet = local_network();).

The OUT rules really does not harms - or what do you want to avoid by blocking them?
In a proper firewall the default output policy is DENY (for example in the PCI/DSS security standards). The output rules (as for the moment they are not takeing into account the user defined allias) will allow someone who gained access to the server to easilly send data to a host in the 1.2.3.0/24 network.

Or maybe the rules to allow cororync udp traffic are dangerous? I guess not, because those ports
are not used when you do not run a cluster.

Please can you explain why you think this is unsafe?
I will run a cluster. But I do not controll all the hosts in 1.2.3.0/24 network. So anybody in 1.2.3.0/24 will have access to corosync.

We could add a flag to enable/disable those default rules if required.

All that I need is that local_network alias is used if defined. Sure such a flag could be usefull but you should to check with other users.

For me I'm happy with this patch:
Code:
*** Firewall.pm.orig    2015-03-15 11:26:34.000000000 +0100
--- Firewall.pm 2015-03-15 12:11:46.000000000 +0100
***************
*** 2100,2106 ****
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     my $localnet = local_network();

      # corosync
      if ($localnet) {
--- 2100,2107 ----
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 3128 -j $accept_action");  # SPICE Proxy
      ruleset_addrule($ruleset, $chain, "$mngmntsrc -p tcp --dport 22 -j $accept_action");  # SSH

!     # Gets the localnet already calculated in compile_iptables_filter
!     my $localnet = $cluster_conf->{aliases}->{local_network}->{cidr};

      # corosync
      if ($localnet) {
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!