Proxmox VE Firewall Help on OVH

D

dison4linux

Renowned Member
Jun 3, 2015
22
0
66
I've got a new Proxmox VE Instance running on OVH.
I have the firewall enabled at the datacenter level and the rules that I write at that level are applying to the hypervisor correctly as I'd expect.

I don't seem to be able to get the firewall rules to apply to the LXC VMs at the moment. It appears as if all traffic is permitted to the VMs.

Here is what is working for the hypervisor:
Code: 
root@hv1:/etc/pve/firewall# cat cluster.fw
[OPTIONS]

policy_in: DROP
enable: 1

[RULES]

IN ACCEPT -source 167.###.##.163 -p icmp
IN ACCEPT -source 167.###.##.163 -p udp -dport 161
IN ACCEPT -p tcp -dport 22
IN ACCEPT -p tcp -dport 8006

And here is the VM, I noticed that there is no "policy_in: DROP" like there is for the cluster, but looking at the settings in the GUI it looks like there should be:
Code: 
root@hv1:/etc/pve/firewall# cat 701.fw
[OPTIONS]

enable: 1

I don't have any way to host a picture at the moment, but the settings in the GUI at the VM level look like:
Enable Firewall: Yes
Enable DHCP: No
MAC filter: Yes
log_level_in: nolog
log_level_out: nolog
Input Policy: DROP
Output Policy: ACCEPT

And in the Rules section of the GUI for the VM there is nothing. So I'd expect to have no access to the VM or at least no access above what's been defined at the cluster level. For example there's no rule for DPort: 80 there but I can access the web page on the VM just fine.
 
I'm experiencing what seems to be the same issue. I too am hosting on OVH.
Firewall enabled in Datacenter with Input Policy set to ACCEPT.
Firewall enabled on my network settings for net0 in LXC container.
Firewall enabled in the options tab for same container with Input Policy set to DROP.
With those settings all traffic is being let through when I'd expect nothing to be let through.
 
I also have a host on OVH.
I don't understand very well those rules for cluster... but if i create a security group with the rules on the cluster, then i can apply those groups on the vm's themselves.
I guess those rules on the cluster level are rules to be applyed between VM's (but i can be wrong).
 
There was a new update to pve-firewall that I just installed tonight... (2.0-16)
I'm not sure whether the newer version fixed something or simply the update process caused the service to be restarted, but either way it is working now.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back