[SOLVED] pve-Firewall - Default policy on node and VM level / And how to make it works with CT

A

albans

Active Member
May 7, 2015
49
1
26
Hi,

I turned on the pve-Firewall on proxmox 3.4. It works well at node level.
I created rules to allow INCOMING traffic on specific services like Proxmox admin, SSH & HTTP.
I also added a rule with the lowest priority (bottom of the list) to DROP all INCOMING traffic for vmbr0.
As already said, it works well, but is there any other way to set a DEFAULT DROP POLICY?

Moreover, I also tried to set it up for a OpenVZ Container (where I added, on top of the existing static IP, a veth interface with firewall enabled option). Unfortunately, this doesn't seem to work. Any INCOMING traffic is allowed, not matter what I set in the rules.
What shall I do to enable the firewall on this OpenVZ Container?

Thx for your help.
Regards
 
Last edited:
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Please can you post the container config?
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

dietmar said:
Please can you post the container config?
Click to expand...


Code: 
ONBOOT="no"
PHYSPAGES="0:1024M"
SWAPPAGES="0:512M"
KMEMSIZE="465M:512M"
DCACHESIZE="232M:256M"
LOCKEDPAGES="512M"
PRIVVMPAGES="unlimited"
SHMPAGES="unlimited"
NUMPROC="unlimited"
VMGUARPAGES="0:unlimited"
OOMGUARPAGES="0:unlimited"
NUMTCPSOCK="unlimited"
NUMFLOCK="unlimited"
NUMPTY="unlimited"
NUMSIGINFO="unlimited"
TCPSNDBUF="unlimited"
TCPRCVBUF="unlimited"
OTHERSOCKBUF="unlimited"
DGRAMRCVBUF="unlimited"
NUMOTHERSOCK="unlimited"
NUMFILE="unlimited"
NUMIPTENT="unlimited"

# Disk quota parameters (in form of softlimit:hardlimit)
DISKSPACE="20G:22G"
DISKINODES="4000000:4400000"
QUOTATIME="0"
QUOTAUGIDLIMIT="0"

# CPU fair scheduler parameter
CPUUNITS="1000"
CPUS="2"
HOSTNAME="myhostname"
SEARCHDOMAIN="mydomain"
NAMESERVER="192.168.1.2"
IP_ADDRESS="10.1.1.10"
VE_ROOT="/var/lib/vz/root/$VEID"
VE_PRIVATE="/data/vz/private/105"
OSTEMPLATE="centos-6-x86_64-minimal.tar.gz"
NETIF="ifname=eth0,bridge=vmbr1f,mac=7A:C9:83:E5:64:F7,host_ifname=veth105.0,host_mac=E6:E5:E1:58:48:06"
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Hi, did it help to see my vm conf file?
I tried again to drop some port on a host-level firewall configuration for a CT, and it doesn't work.
Thx for your help.
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Any feedback? THX
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Do you make the firewall rule on the CT/VM level?

Does
Code: 
pve-firewall compile
includes your newly added rule?
 
Last edited:
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

t.lamprecht said:
Do you make the firewall rule on the CT/VM level?

Does
Code: 
pve-firewall compile
includes your newly added rule?
Click to expand...

Unfortunately not, the new rules set up in the proxmox admin under the VM don't show up.
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Have you enabled the firewall on the network device?
Look at the Network Tab on CT level and edit yours, there should be a check-box for the firewall.
You must also enable it in the Firewall tab, if you haven't already, there is below an Option sub-tab (Do it on Datacenter, Node, and CT Level).
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Hi,
Yes, Firewall checkbox is enabled on Datacenter level and CT level. It works perfectly for the rules I add at the Datacenter level.
Only the rules I add at the CT level don't work and don't show up with the command pve-firewall compile.
Thx for your help.
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

But is the Firewall also enabled on the network device of the container?
2015-08-06-081420_808x655_scrot.png
Here you see what i mean. :)
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Yes it is.
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Tried to reproduce it, but with no success.
When I enable the firewall on every level (Datacenter, Node, VM/CT) plus on the network device from the VM/CT the rules show up with pve-firewall compile and also work as expected.
Strange. I assume your machine is up to date?
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

It is enabled on all levels. Found as well at node level how to enable it (options tab, in the bottom zone).
But still...

Could you just drop some screenshots of simple rules activated on all levels? So I can try the same configuration?
As well as the network config of a CT?

Thx for your help.
 
Last edited:
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Hi,
I recently installed the last proxmox version, and I confirm that firewall works on all level. I couldn't reproduce the issue.
The only thing is the "DROP by default" option at the CT level, it seems it doesn't work. I had to add a "DROP" rule on top to really block all incoming traffic except what I wish to authorize. This "DROP all incoming" has to be placed a the end of the rules table, after all other "ACCEPT" rules.
 
Re: pve-Firewall - Default policy on node and VM level / And how to make it works wit

Alban Staehli said:
...The only thing is the "DROP by default" option at the CT level, it seems it doesn't work. I had to add a "DROP" rule on top to really block all incoming traffic except what I wish to authorize. This "DROP all incoming" has to be placed a the end of the rules table, after all other "ACCEPT" rules.
Click to expand...
Not knowing this fact had me scratching my head for hours today! This seems like a bug in the Proxmox firewall GUI implementation: this option should be removed from the GUI or should cause the expected behavior.
EDIT:
I actually cannot connect with a rule added for input->DROP no matter if the rule is first or last in the list. I also get different result when trying to connect from the local LAN versus remotely via NAT onto the local LAN. I'm still trying to figure out how iptables works :-(
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back