PVE Firewall rule match

hac3ru

Member
Mar 6, 2021
45
1
13
33
Hello,

I was trying to set some firewall rules to stop a VM from talking to other VMs but to allow it to reach the internet.
What I did:
1. Enabled the firewall at the datacenter level
2. Enabled the firewall on the VM NIC
3. Enable the firewall on the VM
4. Create an IPSet for non local IPs called non_local, with these "IPs"
Code:
!10.0.0.0/8
!172.16.0.0/12
!192.168.0.0/16
5. Create a Security Group with the following rules:
Rule 1:
Code:
Direction: IN
Action: ACCEPT
Source: +dc/non-Local
Source:
Rule 2:
Code:
Direction: OUT
Action: ACCEPT
Destination: +dc/non-local
The issue is that this doesn't work for some reason and I don't understand why. From my point of view, it should allow all INCOMING traffic that's not coming from those private IPs and allow all OUTGOING traffic since none of that is going to the private IPs.

Also, just as a suggestion: can't we have a checkbox next to Src/DST saying "Don't match"? I'm asking because, for example, if I want to have two rules, one to match an IP and the other to match everything but that IP, I'd have to have two IPSets, one with the IP address and one with the IP non-match setting on.

Providing the cluster.fw file and vm_id.fw files down below for reference if needed
Code:
[OPTIONS]

policy_in: DROP
policy_out: ACCEPT
enable: 1

[ALIASES]

# SOME ALIASES HERE, TOO MANY TO INCLUDE

[IPSET local_ips]

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

[IPSET not_local_ips]

!10.0.0.0/8
!172.16.0.0/12
!192.168.0.0/16

[RULES]

[group vm-to-net] # Do not allow inter-vlan comm

IN ACCEPT -source +dc/not_local_ips -log warning # Allow incoming from non-local IP addresses (internet)
OUT ACCEPT -source +dc/not_local_ips -log warning # Allow outgoing to non-local IPs (internet)

Code:
[OPTIONS]

enable: 1
ndp: 0
ipfilter: 1
policy_out: DROP
log_level_out: warning
dhcp: 0
log_level_in: warning

[RULES]

GROUP vm-to-net

Also, just referencing this, maybe it gets more views, as I find it quite important...
https://forum.proxmox.com/threads/pve-8-pve-firewall-status-no-such-alias.130202/#post-573149

Thanks in advance.
 
Last edited:
Hello, I have the same problem, have you found a way to make it work?

Can you please also post your cluster.fw and VM firewall as well as the output of iptables-save?
Can you also post the configuration of the VM (qm config <vmid>) and the network configuration of the host?
How are you testing the firewall rules?
 
Can you please also post your cluster.fw and VM firewall as well as the output of iptables-save?
Can you also post the configuration of the VM (qm config <vmid>) and the network configuration of the host?
How are you testing the firewall rules?
Hello @shanreich

I think everything is based on a misunderstanding of the "nomatch" functionnality.
Like stated in this post the nomatch seems to do an exclusion for IPs already matched in the set, so you need to define a wide IPset than nomatch some of the IPs.

I successfully did an "Internet ips"/'not local ips" IPset by adding every IP (but 0.0.0.0/0 is not possible) than nomatch my private CIDRs:
1728483046391.png

Doing like this allow me to connect to the internet from my guest but deny every traffic to my local IPs.

Maybe the proxmox documentation need a section for the "nomatch" functionality ?
 
  • Like
Reactions: shanreich

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!