PVE Firewall - Datacenter rules

[TwiX]

Hi

Spoiler: pveversion

proxmox-ve: 6.3-1 (running kernel: 5.4.73-1-pve)
pve-manager: 6.3-2 (running version: 6.3-2/22f57405)
pve-kernel-5.4: 6.3-1
pve-kernel-helper: 6.3-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
pve-kernel-5.4.65-1-pve: 5.4.65-1
ceph: 15.2.6-pve1
ceph-fuse: 15.2.6-pve1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.5
libproxmox-backup-qemu0: 1.0.2-1
libpve-access-control: 6.1-3
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.2-6
libpve-guest-common-perl: 3.1-3
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.3-1
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-backup-client: 1.0.5-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.4-3
pve-cluster: 6.2-1
pve-container: 3.3-1
pve-docs: 6.3-1
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-3
pve-firmware: 3.1-3
pve-ha-manager: 3.1-1
pve-i18n: 2.2-2
pve-qemu-kvm: 5.1.0-7
pve-xtermjs: 4.7.0-3
qemu-server: 6.3-1
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.5-pve1

I have the following rules applied at datacenter level :








Everything is working as expected for Hosts nodes

But not for a VM (by now only hosts nodes are protected by PVE FW)





When one of my zabbix proxies tries to ping the VM, it is rejected as you can see in the logs




Why the datacenter firewall rules can't be applied for vms ?

Thanks in advance !

Antoine

 

[TwiX]

Hi,
Rules for the node hosting the VM :

 

[spirit]

the datacenter rules are not applied on vms/ct, only on hosts.

if you want to apply common ruleset to vms, you need to create a security group with rules at datacenter level, and use it in each vm firewall.

 

[TwiX]

Hi,

Thanks.

Could be interesting to have datacenter rules applied on all items (Hosts + CT/VMs) dont you think ?

 

[ph0x]

No, absolutely not.

 

[TwiX]

No, absolutely not.

With 120 VM/CTs per cluster it should be nice to not settle VM/CT one by one.

For example a checkbox 'Also apply on VM/CTs' for datacenter rules

 

[oguz]

With 120 VM/CTs per cluster it should be nice to not settle VM/CT one by one.

For example a checkbox 'Also apply on VM/CTs' for datacenter rules

as mentioned by @spirit you can create a security group on cluster level and then apply it for the VMs you wish [0]

[0]: https://pve.proxmox.com/wiki/Firewall#pve_firewall_security_groups

 

[TwiX]

Yes understood - but for example, in order to apply the same rule for 120 VMs, you have to apply it manually for each...

 

[ph0x]

And you have 120 VMs that all need the same firewall rules? I have like 15 and not two of them have the same set of rules.

 

[oguz]

Yes understood - but for example, in order to apply the same rule for 120 VMs, you have to apply it manually for each...

if you really want to apply for ALL vms, you can easily script this once you added the security group on the cluster: (in this case let's take webserver as the name)

#!/bin/bash

VMIDS=$(qm list | awk '/[0-9]/{print $1}')
for VMID in $VMIDS; do
    printf '\n[RULES]\nGROUP webserver\n' > /etc/pve/firewall/${VMID}.fw;
done

note that this assumed the VMID.fw file doesn't exist, so it will overwrite existing firewall configuration for those VM. you can change the > to >> to append instead of overwrite.

 

[TwiX]

And you have 120 VMs that all need the same firewall rules? I have like 15 and not two of them have the same set of rules.

Yes indeed

For example, activate the FW for VM (Input Drop - Output Accept) -
Then allow incoming connections for some IP ranges (RDP, SSH, Zabbix monitoring...), and doing it for all VM/CTs

This is the reason why I thought datacenter rules with security groups should do the trick

 

[ph0x]

Agreed, there are standard tasks which apply to most VMs. These go into a security group.
Either the template already has this security group or I assign it directly after creation.
Still don't see a benefit of applying the host's rules to a VM.

 

[TwiX]

So my proposal is to add a checkbox whether or not you want to apply datacenter rules with security group to all VM/CTs