Proxmox VE firewall not blocking SSH

N

NextPancake401

Member
Dec 17, 2021
21
2
8
Ohio
I have a very strict firewall policy that essentially boils down to, block ALL traffic from any and all servers and computers that are not essential to that host's operation or needs.
This seemed fine for a while but I just realized that anything on VLAN 10 can access Proxmox via SSH, even though we have all inbound traffic blocked and the firewall enabled. We permitted VLAN 40 to connect via SSH but that's to be expected since that's where things are managed.
Why can I access Proxmox via SSH on VLAN 10 even though we block inbound and don't have a rule letting SSH permitted on that network?
 
NextPancake401 said:
Why can I access Proxmox via SSH on VLAN 10 even though we block inbound and don't have a rule letting SSH permitted on that network?
Click to expand...
SSH is always enabled on the datacenter level unless you deconfigured it.

NextPancake401 said:
We permitted VLAN 40 to connect via SSH
Click to expand...
How did you do that? I wasn't aware of the fact that firewall rules can be applied on VLAN basis.
 
LnxBil said:
How did you do that? I wasn't aware of the fact that firewall rules can be applied on VLAN basis.
Click to expand...
I should have clarified that VLAN 40 is an internal VLAN on my network (10.21.40.0/24). You can specify things in the source like 10.21.40.0/24 and it will cover the entire network range. (I'm sorry if made you confused. I'm bad at explaining things)
 
NextPancake401 said:
I should have clarified that VLAN 40 is an internal VLAN on my network (10.21.40.0/24). You can specify things in the source like 10.21.40.0/24 and it will cover the entire network range. (I'm sorry if made you confused. I'm bad at explaining things)
Click to expand...
Yes, that is the way I know and do, no problem. Just wanted to clear it.

Often, firewall problems are configuration problems. Happens all the time and I stumbled across them also often. Missed a check mark for firewalling on the NIC or missed the default setting DROP/REJECT (whatever your preference is there).
 
LnxBil said:
Yes, that is the way I know and do, no problem. Just wanted to clear it.

Often, firewall problems are configuration problems. Happens all the time and I stumbled across them also often. Missed a check mark for firewalling on the NIC or missed the default setting DROP/REJECT (whatever your preference is there).
Click to expand...
I just enforced a rule that lets all nodes communicate with each other but blocks all other IPs on that network then I of course allowed VLAN 40 to communicate to Proxmox via SSH too.
 
You must log in or register to reply here.
Top Bottom