Proxmox VE Firewall Configuration

B

bhagat.sameer

New Member
Sep 9, 2014
5
0
1
Hi,

I am bit new to Proxmox Firewall feature. I have cluster of Proxmox with 4 servers and multiple Containers on them. I am able to use Live migration and other cluster features. My Proxmox Hosts are exposed to public network and i am worried about hacking of my system. I have Firewall, IDS and IPS installed and working fine on my Containers but i still dont have any Firewall rules on my Hosts. I feel that if someone is able to get into my host server...boom they can do anything with my whole setup.

I would like to know how how can secure my host server using Firewall. Also will the configuration of Firewall will effect my CT? Do i need to configure port forwarding for the ports required for my CT? I tried configuring Firewall on hosts but it brings down my cluster.

Any help or suggestion is much appreciated.

Thanks
 
bhagat.sameer said:
I would like to know how how can secure my host server using Firewall. Also will the configuration of Firewall will effect my CT? Do i need to configure port forwarding for the ports required for my CT? I tried configuring Firewall on hosts but it brings down my cluster.
Click to expand...

What I did initially was move all containers off one of hosts and test out the rules on that host only. After experimenting I was then confident enough that I could apply the rules in one place at the datacenter level, which covers all hosts. The host rules are separate from the containers.

Do you have a static IP that you connect from and which need full access to the hosts?

At the datacenter level, I configured an alias 'office' with a single IP which is the gateway for my office network.

In the Rules section I created a couple of rules:

ACCEPT incoming using SSH macro, source: 'office'
ACCEPT incoming TCP port 8006, source: office

I also set up a rule using the Ping macro to allow from all as I monitor the hosts externally. I also set these rules on the vmbr0 interface only.

I then enabled the firewall (I have out-of-band console access in case of any problems with this).

From another unrelated host, I ran nmap to check the firewall. The only port it found is 43/whois (which is closed, but for some reason allowed by the default rules)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back