Hi I am configuring the PVE firewall this afternoon, but I don't get some things. There are firewall rules in Datacenter, in Nodes (the cluster nodes) and in VMs. Is there a cascade working? Eg, are the rules in Datacenter also applicable on the Nodes? When I eg. set a Disable SSH rule in Datacenter, is SSH then blocked on all the Nodes and on all the VMs? When I disable the Datacenter firewall, is the firewall on the Nodes and VMs still active? I have a PVE cluster with 3 Nodes. On each node, I have these networks: 10.0.1.0/24 - management network 10.0.2.0/24 - corosync network 10.0.3.0/24 - ceph public network (with a separated Ceph cluster) 10.0.4.0/24 - VM network Where do I set my SSH rules to only allow SSH from Management network to the Nodes? On the Datacenter? Or on the Nodes? Where do I set the ports used by the PVE cluster, like 8006, 5900-5999, 111, 5404 and 5405? Thanks and all the best for 2019!
ad 1 and 2.) Yes ad 3.) No As you like, if you set it on Datacenter it has affect for all Nodes (see also above)
I do something wrong, this doesn't work. At the Datacenter-level, I create one rule: Inbound Allow SSH (no interface, no source, no dest). I don't do anything on Node or VM level. When I enable the firewall, I got locked out and the cluster goes down.
If Cluster communication does not run across "default" network you have to enable the ports for multicast conversation too. ssh should work - change the settings again, as well as Code: iptables-save
I got a little further. But now nothing is being blocked. This is a overview of my current settings: Datacenter Firewall: Yes eptables: Yes Input Policy: DROP Output Policy: ACCEPT Security Group "proxmox" active at Datacenter and all 3 cluster Nodes: In Accept Ceph In Accept 8006 In Accept 5404,5405 In Accept SSH On all cluster Nodes: Security Group "proxmox" Enabled Firewall: Yes On a test-VM: Firewall: Yes Input Policy: DROP Output Policy: ACCEPT Two rules: HTTP and Ping DROP But now I can ping and browse that test-VM fron a computer outside the network. The firewall is running: Code: root@pve03:/home/klowet# systemctl status pve-firewall ● pve-firewall.service - Proxmox VE firewall Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2019-01-14 06:51:32 CET; 3h 28min ago Main PID: 3317 (pve-firewall) Tasks: 1 (limit: 4915) Memory: 77.6M CPU: 1min 3.526s CGroup: /system.slice/pve-firewall.service └─3317 pve-firewall jan 14 06:51:31 pve03 systemd[1]: Starting Proxmox VE firewall... jan 14 06:51:32 pve03 pve-firewall[3317]: starting server jan 14 06:51:32 pve03 systemd[1]: Started Proxmox VE firewall. root@pve03:/home/klowet# pve-firewall status Status: enabled/running
Oke found it: the firewall wasn't enabled on the test-VM network interface. But for a quick check: are my rules in my previous post ok?
