PVE Firewall rule match

[hac3ru]

Hello,

I was trying to set some firewall rules to stop a VM from talking to other VMs but to allow it to reach the internet.
What I did:
1. Enabled the firewall at the datacenter level
2. Enabled the firewall on the VM NIC
3. Enable the firewall on the VM
4. Create an IPSet for non local IPs called non_local, with these "IPs"

!10.0.0.0/8
!172.16.0.0/12
!192.168.0.0/16

5. Create a Security Group with the following rules:
Rule 1:

Direction: IN
Action: ACCEPT
Source: +dc/non-Local
Source:

Rule 2:

Direction: OUT
Action: ACCEPT
Destination: +dc/non-local

The issue is that this doesn't work for some reason and I don't understand why. From my point of view, it should allow all INCOMING traffic that's not coming from those private IPs and allow all OUTGOING traffic since none of that is going to the private IPs.

Also, just as a suggestion: can't we have a checkbox next to Src/DST saying "Don't match"? I'm asking because, for example, if I want to have two rules, one to match an IP and the other to match everything but that IP, I'd have to have two IPSets, one with the IP address and one with the IP non-match setting on.

Providing the cluster.fw file and vm_id.fw files down below for reference if needed

[OPTIONS]

policy_in: DROP
policy_out: ACCEPT
enable: 1

[ALIASES]

# SOME ALIASES HERE, TOO MANY TO INCLUDE

[IPSET local_ips]

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

[IPSET not_local_ips]

!10.0.0.0/8
!172.16.0.0/12
!192.168.0.0/16

[RULES]

[group vm-to-net] # Do not allow inter-vlan comm

IN ACCEPT -source +dc/not_local_ips -log warning # Allow incoming from non-local IP addresses (internet)
OUT ACCEPT -source +dc/not_local_ips -log warning # Allow outgoing to non-local IPs (internet)

[OPTIONS]

enable: 1
ndp: 0
ipfilter: 1
policy_out: DROP
log_level_out: warning
dhcp: 0
log_level_in: warning

[RULES]

GROUP vm-to-net

Also, just referencing this, maybe it gets more views, as I find it quite important...
https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/#post-573149

Thanks in advance.

 

[Myst]

Hello, I have the same problem, have you found a way to make it work?

 

[hac3ru]

Hello,

Unfortunately I haven't and I've moved on from using the firewall in PVE.

 

[shanreich]

Hello, I have the same problem, have you found a way to make it work?

Can you please also post your cluster.fw and VM firewall as well as the output of iptables-save?
Can you also post the configuration of the VM (qm config <vmid>) and the network configuration of the host?
How are you testing the firewall rules?

 

[Myst]

Can you please also post your cluster.fw and VM firewall as well as the output of iptables-save?
Can you also post the configuration of the VM (qm config <vmid>) and the network configuration of the host?
How are you testing the firewall rules?

Hello @shanreich

I think everything is based on a misunderstanding of the "nomatch" functionnality.
Like stated in this post the nomatch seems to do an exclusion for IPs already matched in the set, so you need to define a wide IPset than nomatch some of the IPs.

I successfully did an "Internet ips"/'not local ips" IPset by adding every IP (but 0.0.0.0/0 is not possible) than nomatch my private CIDRs:


Doing like this allow me to connect to the internet from my guest but deny every traffic to my local IPs.

Maybe the proxmox documentation need a section for the "nomatch" functionality ?