[SOLVED] proxmox firewall - allow dhcp only on specific interface(s)?

chr1s

New Member
Sep 9, 2020
8
4
3
40
I'm trying to get familiar with the Proxmox Firewall. I'm having the following problem:
  • I have a dhcp server running on the Proxmox host, listening on vmbr0 (on the host's IP configured on vmbr0)
  • the Proxmox firewall is enabled on all levels (datacenter, host, vm) with default input: drop / default output: allow
In this state (without any ALLOW rules) DHCP on vmbr0 doesn't get through (that's good and expected). Now I'd like to allow DHCP only from hosts on vmbr0 on this interface.

The only way it could get DHCP on vmbr0 working is by adding a very broad firewall rule "source: ANY, destination: ENY, macro: forwarded DHCP = ALLOW". I'm concerned that this is too broad: If by accident a DHCP server starts to listen on any interface (including bridge devices) that DHCP traffic now gets through.

Is there an elegant way to only allow the DHCP traffic on vmbr0?

(Thanks for any feedback!)
 
sorry for the noise, I think I found it myself ("interface" field in firewall rules). Missed it because I'm was using security groups and there it's not in the security group but in the "add" dialogue when you add it a security group to a firewall policy.
 
  • Like
Reactions: aaron

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!