Hi,
Trying to understand something. I created a VM for Qdevice , in the same /24 as my proxmox hypervisors:
pve1: 192.168.33.44
pve2: 192.168.33.45
qdevice: 192.168.33.46
I understand from the docs that firewalling on the VM level should still apply, and I have only allowed specific (ssh, snmp) traffic. NOT tcp/5403. Also no 'broad rules on the datacenter levels.
root@pve2:/etc/pve/firewall# cat cluster.fw
[OPTIONS]
enable: 1
[IPSET management_access]
192.168.33.44
192.168.33.45
192.168.33.46
[RULES]
IN ACCEPT -p tcp -dport 5201 -log nolog # iperf
IN SSH(ACCEPT) -i SRV_vmbr1.123 -log info # ssh
IN ACCEPT -p icmp -log info
IN SNMP(ACCEPT) -source +dc/management_access -log info
IN SSH(ACCEPT) -source +dc/management_access -log info
IN ACCEPT -source +dc/management_access -p tcp -dport 8006 -log info
IN SPICEproxy(ACCEPT) -source +dc/management_access -log info
root@pve2:/etc/pve/firewall# cat 3346.fw
[OPTIONS]
enable: 1
[RULES]
IN SNMP(ACCEPT) -source +dc/management_access -log nolog
|IN ACCEPT -source +dc/management_access -p tcp -dport 5403 -log info # corosync (DISABLED!)
IN SSH(ACCEPT) -source +dc/management_access -log nolog
IN ACCEPT -source +dc/management_access -p icmp -log nolog
With the above firewalling (NO exception for tcp/5403) qdevice access still works on both proxmox hosts, confirmed by nmap 192.168.33.46 -p 5403
(closed when corosync-qnetd/corosync stopped, open when corosync-qnetd/corosync running)
We are surprised to see this behavour, and would like to understand it better. Can anyone explain?
Trying to understand something. I created a VM for Qdevice , in the same /24 as my proxmox hypervisors:
pve1: 192.168.33.44
pve2: 192.168.33.45
qdevice: 192.168.33.46
I understand from the docs that firewalling on the VM level should still apply, and I have only allowed specific (ssh, snmp) traffic. NOT tcp/5403. Also no 'broad rules on the datacenter levels.
root@pve2:/etc/pve/firewall# cat cluster.fw
[OPTIONS]
enable: 1
[IPSET management_access]
192.168.33.44
192.168.33.45
192.168.33.46
[RULES]
IN ACCEPT -p tcp -dport 5201 -log nolog # iperf
IN SSH(ACCEPT) -i SRV_vmbr1.123 -log info # ssh
IN ACCEPT -p icmp -log info
IN SNMP(ACCEPT) -source +dc/management_access -log info
IN SSH(ACCEPT) -source +dc/management_access -log info
IN ACCEPT -source +dc/management_access -p tcp -dport 8006 -log info
IN SPICEproxy(ACCEPT) -source +dc/management_access -log info
root@pve2:/etc/pve/firewall# cat 3346.fw
[OPTIONS]
enable: 1
[RULES]
IN SNMP(ACCEPT) -source +dc/management_access -log nolog
|IN ACCEPT -source +dc/management_access -p tcp -dport 5403 -log info # corosync (DISABLED!)
IN SSH(ACCEPT) -source +dc/management_access -log nolog
IN ACCEPT -source +dc/management_access -p icmp -log nolog
With the above firewalling (NO exception for tcp/5403) qdevice access still works on both proxmox hosts, confirmed by nmap 192.168.33.46 -p 5403
(closed when corosync-qnetd/corosync stopped, open when corosync-qnetd/corosync running)
We are surprised to see this behavour, and would like to understand it better. Can anyone explain?
Last edited:
