pve-firewall

Cantalupo · May 14, 2019

Server newly installed, the first task I did was to activate the firewall, but when enabled it only gets SSH access.
Door 8006 is inaccessible, would anyone have any tips?

When i disable the firewall, port 8006 resumes normal operation.

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
PVEFW-FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
PVEFW-OUTPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain PVEFW-Drop (1 references)
target     prot opt source               destination         
PVEFW-reject  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:43
PVEFW-DropBroadcast  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 135,445
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:137:139
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:137 dpts:1024:65535
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 135,139,445
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1900
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ */

Chain PVEFW-DropBroadcast (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type ANYCAST
DROP       all  --  0.0.0.0/0            224.0.0.0/4         
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w */

Chain PVEFW-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
PVEFW-FWBR-IN  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
PVEFW-FWBR-OUT  all  --  0.0.0.0/0            0.0.0.0/0            PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */

Chain PVEFW-FWBR-IN (1 references)
target     prot opt source               destination         
PVEFW-smurfs  all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0 */

Chain PVEFW-FWBR-OUT (1 references)
target     prot opt source               destination         
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk */

Chain PVEFW-HOST-IN (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
PVEFW-smurfs  all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW
RETURN     2    --  0.0.0.0/0            0.0.0.0/0           
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:8006
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:3128
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0            match-set PVEFW-0-management-v4 src tcp dpt:22
PVEFW-Drop  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:96R79VOv3YFPQ6UkYyrwIaAX8Wc */

Chain PVEFW-HOST-OUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
RETURN     2    --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:0zVqGNg5V7YiSxt0h+sEYJsXD+M */

Chain PVEFW-INPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-IN  all  --  0.0.0.0/0            0.0.0.0/0           
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk */

Chain PVEFW-OUTPUT (1 references)
target     prot opt source               destination         
PVEFW-HOST-OUT  all  --  0.0.0.0/0            0.0.0.0/0           
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0 */

Chain PVEFW-Reject (0 references)
target     prot opt source               destination         
PVEFW-reject  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:43
PVEFW-DropBroadcast  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 11
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
PVEFW-reject  udp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 135,445
PVEFW-reject  udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:137:139
PVEFW-reject  udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:137 dpts:1024:65535
PVEFW-reject  tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 135,139,445
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1900
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:!0x17/0x02
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo */

Chain PVEFW-SET-ACCEPT-MARK (0 references)
target     prot opt source               destination         
MARK       all  --  0.0.0.0/0            0.0.0.0/0            MARK or 0x80000000
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY */

Chain PVEFW-logflags (5 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A */

Chain PVEFW-reject (6 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
DROP       all  --  224.0.0.0/4          0.0.0.0/0           
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc */

Chain PVEFW-smurflog (2 references)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk */

Chain PVEFW-smurfs (2 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0              0.0.0.0/0           
PVEFW-smurflog  all  --  0.0.0.0/0            0.0.0.0/0           [goto]  ADDRTYPE match src-type BROADCAST
PVEFW-smurflog  all  --  224.0.0.0/4          0.0.0.0/0           [goto]
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:HssVe5QCBXd5mc9kC88749+7fag */

Chain PVEFW-tcpflags (0 references)
target     prot opt source               destination         
PVEFW-logflags  tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x29
PVEFW-logflags  tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x3F/0x00
PVEFW-logflags  tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x06/0x06
PVEFW-logflags  tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp flags:0x03/0x03
PVEFW-logflags  tcp  --  0.0.0.0/0            0.0.0.0/0           [goto]  tcp spt:0 flags:0x17/0x02
           all  --  0.0.0.0/0            0.0.0.0/0            /* PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo */
root@s7314 ~ #

Chris · May 14, 2019

Hi,
this should not happen on a default installation. By default the firewall rules allow access to the essential services for the host. See the https://pve.proxmox.com/pve-docs/pve-firewall.8.html
Can you post the output of `iptables-save` with the firewall enabled?

Cantalupo · May 14, 2019

Chris said:
Hi,
this should not happen on a default installation. By default the firewall rules allow access to the essential services for the host. See the https://pve.proxmox.com/pve-docs/pve-firewall.8.html
Can you post the output of `iptables-save` with the firewall enabled?

Access via ssh also does not work.

Code:

# Generated by iptables-save v1.6.0 on Tue May 14 06:45:25 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [23:1573]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A PVEFW-Drop -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:WDy2wbFe7jNYEyoO3QhUELZ4mIQ"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:Ijl7/xz0DD7LF91MlLCz0ybZBE0"
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:2jmj7l5rSw0yVb/vlWAYkK/YBwk"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID,NEW -j PVEFW-smurfs
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -j PVEFW-Drop
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -m comment --comment "PVESIG:96R79VOv3YFPQ6UkYyrwIaAX8Wc"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:0zVqGNg5V7YiSxt0h+sEYJsXD+M"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -p tcp -m tcp --dport 43 -j PVEFW-reject
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:CZJnIN6rAdpu+ej59QPr9+laMUo"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
COMMIT
# Completed on Tue May 14 06:45:25 2019

dan.ger · May 14, 2019

Did you turn on In-Policy to Accept at DataCenter's firewall?

Cantalupo · May 14, 2019

dan.ger said:
Did you turn on In-Policy to Accept at DataCenter's firewall?

I'm using Hetzner.
The problem is with them?

dan.ger · May 14, 2019

No, I think it is on your proxmox. Go to point datacenter in left Sidebarmenu, select firewall -> Options then check that following is set to:

Input Policy -> ACCEPT
Output Policy -> ACCEPT

Chris · May 14, 2019

Are you administrating from a remote IP address? By default only the local network is allowed to access the hosts. You have to set the management IPs in the corresponding IPSet. See 'Enabling the firewall' here: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_cluster_wide_setup

Chris · May 14, 2019

These are the corresponding rules.
If your IP doesn't match an IP in PVEFW-0-management-v4 src, the connection will be droped.

Code:

-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN

Cantalupo · May 14, 2019

dan.ger said:
No, I think it is on your proxmox. Go to point datacenter in left Sidebarmenu, select firewall -> Options then check that following is set to:

Input Policy -> ACCEPT
Output Policy -> ACCEPT

Thank you very much, it worked.

Chris said:
Are you administrating from a remote IP address? By default only the local network is allowed to access the hosts. You have to set the management IPs in the corresponding IPSet. See 'Enabling the firewall' here: https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html#pve_firewall_cluster_wide_setup

Yes, access via external IP.

I tried to use the command:

Code:

pve-firewall [IPSET IP]
ERROR: unknown command 'pve-firewall [IPSET'

Chris · May 14, 2019

You can easily add the IPSet in the GUI under Datacenter->Firewall->IPSet. If you simply change the Input/Output policy to ACCEPT, there is no need to enable the firewall at all (except you have special rules or want to block only traffic for VMs/CTs).

Cantalupo · May 14, 2019

Chris said:
You can easily add the IPSet in the GUI under Datacenter->Firewall->IPSet. If you simply change the Input/Output policy to ACCEPT, there is no need to enable the firewall at all (except you have special rules or want to block only traffic for VMs/CTs).

Exactly, I just want to block traffic to VM and CT.

But I'll test IPset, in case in name, just put the server's external IP or my dynamic IP?

Chris · May 14, 2019

Cantalupo said:
But I'll test IPset, in case in name, just put the server's external IP or my dynamic IP?

You have to set the source IP address, so if this is a dynamic IP you will run into troubles, although you can set also IP ranges in CIDR notation

Search

Search

pve-firewall

Cantalupo

Active Member

Chris

Proxmox Staff Member

Cantalupo

Active Member

dan.ger

Well-Known Member

Cantalupo

Active Member

dan.ger

Well-Known Member

Chris

Proxmox Staff Member

Chris

Proxmox Staff Member

Cantalupo

Active Member

Chris

Proxmox Staff Member

Cantalupo

Active Member

Chris

Proxmox Staff Member