I am completely lost with the firewall configuration on two Hetzner nodes, each with proxmox 6.3-1 and pve-firewall 4.1-3. Let's call them node1 and node2.
On both nodes Datacenter Firewall is enabled with ebtables=yes, input policy=DROP, Output policy=ACCEPT and no rules.
On node 2 there is a management ip-set defined.
All local firewalls in the container OS are disabled (ufw or iptables).
This is the topology:
The Node Firewall is also enabled on both nodes with these rules:
On Node 1 is container zabbix with these rules:
This zabbix server connects only to zabbix agents, when its firewall is disabled.
The container news firewall is enabled but does not seem to work, since e.g. a ssh login is possible, although these rules are set:
On Node 2 are containers, whose zabbix agent is only detected, when I disable the container firewall on them. The firewall for container nextcloud has:
So my problems are:
The zabbix server on container zabbix and the zabbix agents on cloud connect only when both container firewalls are disabled.
The container news does not work since it does not block ssh logins
I am very sorry for the size of this post. I did not figure out another way to describe my dilemma.
I would be thankful for any help.
On both nodes Datacenter Firewall is enabled with ebtables=yes, input policy=DROP, Output policy=ACCEPT and no rules.
On node 2 there is a management ip-set defined.
All local firewalls in the container OS are disabled (ufw or iptables).
This is the topology:
Code:
├── node-1
│ ├── news
│ └── zabbix
└── node-2
└── nextcloudThe Node Firewall is also enabled on both nodes with these rules:
| Type | Action | Macro | Dest.port | Source port | Comment |
| out | ACCEPT | DNS | |||
| in | ACCEPT | 10050:10051 | 10050:10051 | Zabbix | |
| out | ACCEPT | 10050:10051 | 10050:10051 | Zabbix | |
| out | ACCEPT | Web | |||
| out | ACCEPT | Ping | |||
| in | ACCEPT | Ping | |||
| in | ACCEPT | 8006 | 8006 | webgui | |
| in | ACCEPT | SSH | |||
| out | REJECT |
On Node 1 is container zabbix with these rules:
| Type | Action | Macro | Dest.port | Source port | Comment |
| out | ACCEPT | DNS | |||
| in | ACCEPT | 10050:10051 | 10050:10051 | Zabbix | |
| out | ACCEPT | 10050:10051 | 10050:10051 | Zabbix | |
| in | ACCEPT | Web | |||
| out | ACCEPT | Web | |||
| out | REJECT | ||||
| in | REJECT |
This zabbix server connects only to zabbix agents, when its firewall is disabled.
The container news firewall is enabled but does not seem to work, since e.g. a ssh login is possible, although these rules are set:
| Type | Action | Macro | Dest.port | Source port | Comment |
| in | ACCEPT | 10050:10051 | 10050:10051 | Zabbix | |
| out | ACCEPT | Web | |||
| in | ACCEPT | Web | |||
| in | DROP | ||||
| out | DROP |
On Node 2 are containers, whose zabbix agent is only detected, when I disable the container firewall on them. The firewall for container nextcloud has:
| Type | Action | Macro | Dest.port | Source port | Comment |
| in | ACCEPT | DNS | |||
| out | ACCEPT | DNS | |||
| in | ACCEPT | 10050:10051 | 10050:10051 | Zabbix | |
| out | ACCEPT | 10050:10051 | 10050:10051 | Zabbix | |
| out | ACCEPT | Web | |||
| in | ACCEPT | Web | |||
| out | ACCEPT | ||||
| in | ACCEPT | ||||
| in | REJECT | ||||
| out | REJECT |
So my problems are:
The zabbix server on container zabbix and the zabbix agents on cloud connect only when both container firewalls are disabled.
The container news does not work since it does not block ssh logins
I am very sorry for the size of this post. I did not figure out another way to describe my dilemma.
I would be thankful for any help.