PVE Firewall - Datacenter rules

TwiX

TwiX

Renowned Member
Feb 3, 2015
310
22
83
Hi

proxmox-ve: 6.3-1 (running kernel: 5.4.73-1-pve)
pve-manager: 6.3-2 (running version: 6.3-2/22f57405)
pve-kernel-5.4: 6.3-1
pve-kernel-helper: 6.3-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
pve-kernel-5.4.65-1-pve: 5.4.65-1
ceph: 15.2.6-pve1
ceph-fuse: 15.2.6-pve1
corosync: 3.0.4-pve1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.16-pve1
libproxmox-acme-perl: 1.0.5
libproxmox-backup-qemu0: 1.0.2-1
libpve-access-control: 6.1-3
libpve-apiclient-perl: 3.0-3
libpve-common-perl: 6.2-6
libpve-guest-common-perl: 3.1-3
libpve-http-server-perl: 3.0-6
libpve-storage-perl: 6.3-1
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.3-1
lxcfs: 4.0.3-pve3
novnc-pve: 1.1.0-1
proxmox-backup-client: 1.0.5-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.4-3
pve-cluster: 6.2-1
pve-container: 3.3-1
pve-docs: 6.3-1
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-3
pve-firmware: 3.1-3
pve-ha-manager: 3.1-1
pve-i18n: 2.2-2
pve-qemu-kvm: 5.1.0-7
pve-xtermjs: 4.7.0-3
qemu-server: 6.3-1
smartmontools: 7.1-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 0.8.5-pve1

I have the following rules applied at datacenter level :

1620054511799.png

1620054099610.png

1620054152313.png


Everything is working as expected for Hosts nodes

But not for a VM (by now only hosts nodes are protected by PVE FW)

1620054269399.png

1620054316219.png

When one of my zabbix proxies tries to ping the VM, it is rejected as you can see in the logs

1620054433290.png


Why the datacenter firewall rules can't be applied for vms ?

Thanks in advance !

Antoine
 

Attachments

  • 1620053904600.png
    1620053904600.png
    16.4 KB · Views: 3
Last edited:
Hi,
Rules for the node hosting the VM :
 

Attachments

  • iptables.txt
    19.6 KB · Views: 5
the datacenter rules are not applied on vms/ct, only on hosts.

if you want to apply common ruleset to vms, you need to create a security group with rules at datacenter level, and use it in each vm firewall.
 
Hi,

Thanks.

Could be interesting to have datacenter rules applied on all items (Hosts + CT/VMs) dont you think ?
 
ph0x said:
No, absolutely not. ;)
Click to expand...

With 120 VM/CTs per cluster it should be nice to not settle VM/CT one by one.

For example a checkbox 'Also apply on VM/CTs' for datacenter rules
 
Yes understood - but for example, in order to apply the same rule for 120 VMs, you have to apply it manually for each...
 
And you have 120 VMs that all need the same firewall rules? I have like 15 and not two of them have the same set of rules.
 
TwiX said:
Yes understood - but for example, in order to apply the same rule for 120 VMs, you have to apply it manually for each...
Click to expand...
if you really want to apply for ALL vms, you can easily script this once you added the security group on the cluster: (in this case let's take webserver as the name)

Code: 
#!/bin/bash

VMIDS=$(qm list | awk '/[0-9]/{print $1}')
for VMID in $VMIDS; do
    printf '\n[RULES]\nGROUP webserver\n' > /etc/pve/firewall/${VMID}.fw;
done

note that this assumed the VMID.fw file doesn't exist, so it will overwrite existing firewall configuration for those VM. you can change the > to >> to append instead of overwrite.
 
ph0x said:
And you have 120 VMs that all need the same firewall rules? I have like 15 and not two of them have the same set of rules.
Click to expand...
Yes indeed

For example, activate the FW for VM (Input Drop - Output Accept) -
Then allow incoming connections for some IP ranges (RDP, SSH, Zabbix monitoring...), and doing it for all VM/CTs

This is the reason why I thought datacenter rules with security groups should do the trick
 
Agreed, there are standard tasks which apply to most VMs. These go into a security group.
Either the template already has this security group or I assign it directly after creation.
Still don't see a benefit of applying the host's rules to a VM.
 
So my proposal is to add a checkbox :) whether or not you want to apply datacenter rules with security group to all VM/CTs
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back