[SOLVED] Questions about the PVE firewall

K

klowet

Well-Known Member
Jun 22, 2018
43
2
48
Hi

I am configuring the PVE firewall this afternoon, but I don't get some things.

There are firewall rules in Datacenter, in Nodes (the cluster nodes) and in VMs.
  1. Is there a cascade working? Eg, are the rules in Datacenter also applicable on the Nodes?
  2. When I eg. set a Disable SSH rule in Datacenter, is SSH then blocked on all the Nodes and on all the VMs?
  3. When I disable the Datacenter firewall, is the firewall on the Nodes and VMs still active?
I have a PVE cluster with 3 Nodes. On each node, I have these networks:
  • 10.0.1.0/24 - management network
  • 10.0.2.0/24 - corosync network
  • 10.0.3.0/24 - ceph public network (with a separated Ceph cluster)
  • 10.0.4.0/24 - VM network
Where do I set my SSH rules to only allow SSH from Management network to the Nodes? On the Datacenter? Or on the Nodes?
Where do I set the ports used by the PVE cluster, like 8006, 5900-5999, 111, 5404 and 5405?

Thanks and all the best for 2019!
 
klowet said:
  1. Is there a cascade working? Eg, are the rules in Datacenter also applicable on the Nodes?
  2. When I eg. set a Disable SSH rule in Datacenter, is SSH then blocked on all the Nodes and on all the VMs?
  3. When I disable the Datacenter firewall, is the firewall on the Nodes and VMs still active?
Click to expand...

ad 1 and 2.) Yes
ad 3.) No

klowet said:
I have a PVE cluster with 3 Nodes. On each node, I have these networks:
  • 10.0.1.0/24 - management network
  • 10.0.2.0/24 - corosync network
  • 10.0.3.0/24 - ceph public network (with a separated Ceph cluster)
  • 10.0.4.0/24 - VM network
Where do I set my SSH rules to only allow SSH from Management network to the Nodes? On the Datacenter? Or on the Nodes?


Where do I set the ports used by the PVE cluster, like 8006, 5900-5999, 111, 5404 and 5405?
Click to expand...

As you like, if you set it on Datacenter it has affect for all Nodes (see also above)
 
I do something wrong, this doesn't work.

At the Datacenter-level, I create one rule: Inbound Allow SSH (no interface, no source, no dest).
I don't do anything on Node or VM level.
When I enable the firewall, I got locked out and the cluster goes down.
 
klowet said:
I do something wrong, this doesn't work.

At the Datacenter-level, I create one rule: Inbound Allow SSH (no interface, no source, no dest).
I don't do anything on Node or VM level.
When I enable the firewall, I got locked out and the cluster goes down.
Click to expand...

If Cluster communication does not run across "default" network you have to enable the ports for multicast conversation too.

ssh should work - change the settings again, as well as
Code: 
iptables-save
 
I got a little further. But now nothing is being blocked. This is a overview of my current settings:

Datacenter
Firewall: Yes
eptables: Yes
Input Policy: DROP
Output Policy: ACCEPT

Security Group "proxmox" active at Datacenter and all 3 cluster Nodes:
In Accept Ceph
In Accept 8006
In Accept 5404,5405
In Accept SSH

On all cluster Nodes:
Security Group "proxmox" Enabled
Firewall: Yes

On a test-VM:
Firewall: Yes
Input Policy: DROP
Output Policy: ACCEPT
Two rules: HTTP and Ping DROP

But now I can ping and browse that test-VM fron a computer outside the network.

The firewall is running:
Code: 
root@pve03:/home/klowet# systemctl status pve-firewall
● pve-firewall.service - Proxmox VE firewall
   Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2019-01-14 06:51:32 CET; 3h 28min ago
 Main PID: 3317 (pve-firewall)
    Tasks: 1 (limit: 4915)
   Memory: 77.6M
      CPU: 1min 3.526s
   CGroup: /system.slice/pve-firewall.service
           └─3317 pve-firewall

jan 14 06:51:31 pve03 systemd[1]: Starting Proxmox VE firewall...
jan 14 06:51:32 pve03 pve-firewall[3317]: starting server
jan 14 06:51:32 pve03 systemd[1]: Started Proxmox VE firewall.
root@pve03:/home/klowet# pve-firewall status
Status: enabled/running
 
Oke found it: the firewall wasn't enabled on the test-VM network interface.
But for a quick check: are my rules in my previous post ok?
 
klowet said:
Oke found it: the firewall wasn't enabled on the test-VM network interface.
But for a quick check: are my rules in my previous post ok?
Click to expand...

There is nothing against them - if they are ok for your needs you have to know ....
 
You must log in or register to reply here.
Top Bottom