pve-firewall doesn't block ports 111/tcp/udp and 3128/tcp

[Brawn1]

Hello,

I using a 3 Node Proxmox 4.1 Cluster with PVE-Firewall.

The BSI Team makes a Pentest on my Server and have reported, that rpcbind and squid-http port is open.
So i think ok, and add rules to drop the ports 111 and 3128 tcp/udp.

But the Firewall doesn't block the Ports (other Settings working).

pve-firewall is restarted and the command pve-firewall status gives the output:

Status: enabled/running (pending changes)

my config firewall/cluster.fw:

root@node2 ~ # cat /etc/pve/firewall/cluster.fw
[OPTIONS]

enable: 1
policy_in: DROP

[ALIASES]

VMBR80 10.2.3.0/24 # tinc vpn network
vpn 0.0.0.0/0
VMBR0 192.168.81.0/24

[IPSET home] # Management Zugang

1.2.3.4/24 # LTE Netz-2
1.2.3.5/24 # T-Mobile LTE Netz
2.3.4.5# Se7en MMI Datencenter
3.4.5.6 # Wasser Tirol
4.5.6.7 # Noesslach Business ADSL

[IPSET wan] # eth0 on all Nodes

7.7.7.144 # node3
8.8.8.201 # node4
9.9.9.67 # node2

[RULES]

GROUP tincvpn -i vpn # cluster communication
GROUP tincvpn -i vmbr80 # cluster communication
GROUP internet -i eth0 # WAN

[group internet]

IN DROP -dest +wan -p udp -dport 111 # portmapper
IN DROP -dest +wan -p tcp -dport 111 # portmapper
IN SMTPS(ACCEPT) -dest +wan # MX
IN SMTP(ACCEPT) -dest +wan # MX
IN ACCEPT -dest +wan -p udp -dport 655 # tinc vpn
IN ACCEPT -dest +wan -p tcp -dport 655 # tinc vpn
IN ACCEPT -source +home -dest +wan -p tcp -dport 5900:5999 # webvnc
IN ACCEPT -source +home -dest +wan -p tcp -dport 8006
IN Ping(ACCEPT) -dest +wan
IN SSH(ACCEPT) -dest +wan

[group tincvpn] # tinc vpn

IN SSH(ACCEPT) -dest vmbr80
IN Ceph(ACCEPT) -dest vpn
IN Ceph(ACCEPT) -source vpn # all ports vpn net
IN Ceph(ACCEPT) -source vmbr80
IN Ceph(ACCEPT) -dest vmbr80
IN ACCEPT -source vmbr80 -p igmp -dport 1:50000 # all ports vmbr80
IN ACCEPT -source vmbr80 -p udp -dport 1:50000 # all ports
IN ACCEPT -source vmbr80 -p tcp -dport 1:50000 # all ports
IN ACCEPT -source vpn -p igmp -dport 1:50000 # all ports vpn net
IN ACCEPT -source vpn -p udp -dport 1:50000 # all ports vpn net
IN ACCEPT -source vpn -p tcp -dport 1:50000 # all ports vpn net
IN ACCEPT -dest vmbr80
IN ACCEPT -source vmbr80

root@node2 ~ #

What is wrong ?

 

[Brawn1]

Good Morning,

After checking the Firewall config, i see that Interface vpn has the IP-Address Range 0.0.0.0/0.
Is that the error ?

When yes, how i can say it must pass the 10.2.3.0/24 Traffic and Multicast 239.0.0.0/8 ?

Thank you...

 

[5t3f4n]

Hello - have received the same alert from BSI, did you (finally) figure out how to set-up the firewall?

My machine is running Proxmox VE 3.4.

the official documentation for the Proxmox firewall is incomplete.

Thanks

 

[5t3f4n]

Hello - have received the same alert from BSI, did you (finally) figure out how to set-up the firewall?

My machine is running Proxmox VE 3.4.

the official documentation for the Proxmox firewall is incomplete.

Thanks

support and/or direction to resolve appreciated!

thanks

 

[Brawn1]

Hy,

I have solved with this firewall configuration:

[OPTIONS]

enable: 1
policy_in: DROP

[ALIASES]

VMBR0 192.168.81.0/24
vmbr80 10.2.3.0/24

[IPSET home] # Management Zugang

1.2.3.4/24 # LTE Netz-2
1.2.3.5/24 # T-Mobile LTE Netz
2.3.4.5# Datencenter
3.4.5.6 # WT
4.5.6.7 # N B ADSL

[IPSET wan] # eth0 on all Nodes

7.7.7.144 # node3
8.8.8.201 # node4
9.9.9.67 # node2

[RULES]

IN ACCEPT -i vpn # vpnnet
GROUP vpn -i vmbr80
GROUP internet -i eth0 # WAN

[group internet]

IN SMTPS(ACCEPT) -dest +wan # MX
IN SMTP(ACCEPT) -dest +wan # MX
IN ACCEPT -dest +wan -p udp -dport 655 # tinc vpn
IN ACCEPT -dest +wan -p tcp -dport 655 # tinc vpn
IN ACCEPT -source +home -dest +wan -p tcp -dport 5900:5999 # webvnc
IN ACCEPT -source +home -dest +wan -p tcp -dport 8006
IN Ping(ACCEPT) -dest +wan
IN SSH(ACCEPT) -dest +wan

[group vpn]

IN ACCEPT

So, i must delete the vpn alias, and now it works.

Thank you