[SOLVED] Questions about the PVE firewall

klowet

Well-Known Member
Jun 22, 2018
43
2
48
Hi

I am configuring the PVE firewall this afternoon, but I don't get some things.

There are firewall rules in Datacenter, in Nodes (the cluster nodes) and in VMs.
  1. Is there a cascade working? Eg, are the rules in Datacenter also applicable on the Nodes?
  2. When I eg. set a Disable SSH rule in Datacenter, is SSH then blocked on all the Nodes and on all the VMs?
  3. When I disable the Datacenter firewall, is the firewall on the Nodes and VMs still active?
I have a PVE cluster with 3 Nodes. On each node, I have these networks:
  • 10.0.1.0/24 - management network
  • 10.0.2.0/24 - corosync network
  • 10.0.3.0/24 - ceph public network (with a separated Ceph cluster)
  • 10.0.4.0/24 - VM network
Where do I set my SSH rules to only allow SSH from Management network to the Nodes? On the Datacenter? Or on the Nodes?
Where do I set the ports used by the PVE cluster, like 8006, 5900-5999, 111, 5404 and 5405?

Thanks and all the best for 2019!
 
  1. Is there a cascade working? Eg, are the rules in Datacenter also applicable on the Nodes?
  2. When I eg. set a Disable SSH rule in Datacenter, is SSH then blocked on all the Nodes and on all the VMs?
  3. When I disable the Datacenter firewall, is the firewall on the Nodes and VMs still active?

ad 1 and 2.) Yes
ad 3.) No

I have a PVE cluster with 3 Nodes. On each node, I have these networks:
  • 10.0.1.0/24 - management network
  • 10.0.2.0/24 - corosync network
  • 10.0.3.0/24 - ceph public network (with a separated Ceph cluster)
  • 10.0.4.0/24 - VM network
Where do I set my SSH rules to only allow SSH from Management network to the Nodes? On the Datacenter? Or on the Nodes?


Where do I set the ports used by the PVE cluster, like 8006, 5900-5999, 111, 5404 and 5405?

As you like, if you set it on Datacenter it has affect for all Nodes (see also above)
 
I do something wrong, this doesn't work.

At the Datacenter-level, I create one rule: Inbound Allow SSH (no interface, no source, no dest).
I don't do anything on Node or VM level.
When I enable the firewall, I got locked out and the cluster goes down.
 
I do something wrong, this doesn't work.

At the Datacenter-level, I create one rule: Inbound Allow SSH (no interface, no source, no dest).
I don't do anything on Node or VM level.
When I enable the firewall, I got locked out and the cluster goes down.

If Cluster communication does not run across "default" network you have to enable the ports for multicast conversation too.

ssh should work - change the settings again, as well as
Code:
iptables-save
 
I got a little further. But now nothing is being blocked. This is a overview of my current settings:

Datacenter
Firewall: Yes
eptables: Yes
Input Policy: DROP
Output Policy: ACCEPT

Security Group "proxmox" active at Datacenter and all 3 cluster Nodes:
In Accept Ceph
In Accept 8006
In Accept 5404,5405
In Accept SSH

On all cluster Nodes:
Security Group "proxmox" Enabled
Firewall: Yes

On a test-VM:
Firewall: Yes
Input Policy: DROP
Output Policy: ACCEPT
Two rules: HTTP and Ping DROP

But now I can ping and browse that test-VM fron a computer outside the network.

The firewall is running:
Code:
root@pve03:/home/klowet# systemctl status pve-firewall
● pve-firewall.service - Proxmox VE firewall
   Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-01-14 06:51:32 CET; 3h 28min ago
 Main PID: 3317 (pve-firewall)
    Tasks: 1 (limit: 4915)
   Memory: 77.6M
      CPU: 1min 3.526s
   CGroup: /system.slice/pve-firewall.service
           └─3317 pve-firewall

jan 14 06:51:31 pve03 systemd[1]: Starting Proxmox VE firewall...
jan 14 06:51:32 pve03 pve-firewall[3317]: starting server
jan 14 06:51:32 pve03 systemd[1]: Started Proxmox VE firewall.
root@pve03:/home/klowet# pve-firewall status
Status: enabled/running
 
Oke found it: the firewall wasn't enabled on the test-VM network interface.
But for a quick check: are my rules in my previous post ok?
 
Oke found it: the firewall wasn't enabled on the test-VM network interface.
But for a quick check: are my rules in my previous post ok?

There is nothing against them - if they are ok for your needs you have to know ....