PVE-Firewall enable in cluster.

[Kephin]

I'm looking at working on my cluster security somewhat and for that end want to utilize the pve firewall.

Looking through the instructions here i read that if I want to administer it remotely I need to add exceptions for it in order not to lose access as it claims only 22 and 8006 from it's local subnet are built in rules.

What i need to do for my external subnets is fairly obvious with this instruction.
But what I can't find is if I should add exceptions for intercluster communication (like corosync?) on the local subnet and if so what needs to be allowed exactly and what level should I be allowing it?
Or is this traffic also allowed by default and can I just enable the pve firewall without breaking the cluster?

 

[aaron]

The ports needed for the Proxmox VE cluster to function are by default open within the local subnets.

If you do have a Ceph cluster as well, you will need to create a new FW rule to allow that traffic on the Ceph interfaces. There is a macro available for Ceph so you do not need to figure out the exact ports yourself.

 

[Kephin]

I somehow missed this, thanks!.
Might be worth referencing this in the manual I linked because that's the first thing Google feeds you if you look for this.

 

[aaron]

Might be worth referencing this in the manual I linked because that's the first thing Google feeds you if you look for this.

That is the exact same chapter exported to the wiki. It also has the same section about the default firewall rules ;-)