[SOLVED] Questions about the PVE firewall

Discussion in 'Proxmox VE: Networking and Firewall' started by klowet, Dec 31, 2018.

  1. klowet

    klowet New Member

    Joined:
    Jun 22, 2018
    Messages:
    24
    Likes Received:
    0
    Hi

    I am configuring the PVE firewall this afternoon, but I don't get some things.

    There are firewall rules in Datacenter, in Nodes (the cluster nodes) and in VMs.
    1. Is there a cascade working? Eg, are the rules in Datacenter also applicable on the Nodes?
    2. When I eg. set a Disable SSH rule in Datacenter, is SSH then blocked on all the Nodes and on all the VMs?
    3. When I disable the Datacenter firewall, is the firewall on the Nodes and VMs still active?
    I have a PVE cluster with 3 Nodes. On each node, I have these networks:
    • 10.0.1.0/24 - management network
    • 10.0.2.0/24 - corosync network
    • 10.0.3.0/24 - ceph public network (with a separated Ceph cluster)
    • 10.0.4.0/24 - VM network
    Where do I set my SSH rules to only allow SSH from Management network to the Nodes? On the Datacenter? Or on the Nodes?
    Where do I set the ports used by the PVE cluster, like 8006, 5900-5999, 111, 5404 and 5405?

    Thanks and all the best for 2019!
     
  2. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    665
    Likes Received:
    23
    ad 1 and 2.) Yes
    ad 3.) No

    As you like, if you set it on Datacenter it has affect for all Nodes (see also above)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. klowet

    klowet New Member

    Joined:
    Jun 22, 2018
    Messages:
    24
    Likes Received:
    0
    Thanks Richard, I'll give this a try.
     
  4. klowet

    klowet New Member

    Joined:
    Jun 22, 2018
    Messages:
    24
    Likes Received:
    0
    I do something wrong, this doesn't work.

    At the Datacenter-level, I create one rule: Inbound Allow SSH (no interface, no source, no dest).
    I don't do anything on Node or VM level.
    When I enable the firewall, I got locked out and the cluster goes down.
     
  5. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    665
    Likes Received:
    23
    If Cluster communication does not run across "default" network you have to enable the ports for multicast conversation too.

    ssh should work - change the settings again, as well as
    Code:
    iptables-save
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. klowet

    klowet New Member

    Joined:
    Jun 22, 2018
    Messages:
    24
    Likes Received:
    0
    I got a little further. But now nothing is being blocked. This is a overview of my current settings:

    Datacenter
    Firewall: Yes
    eptables: Yes
    Input Policy: DROP
    Output Policy: ACCEPT

    Security Group "proxmox" active at Datacenter and all 3 cluster Nodes:
    In Accept Ceph
    In Accept 8006
    In Accept 5404,5405
    In Accept SSH

    On all cluster Nodes:
    Security Group "proxmox" Enabled
    Firewall: Yes

    On a test-VM:
    Firewall: Yes
    Input Policy: DROP
    Output Policy: ACCEPT
    Two rules: HTTP and Ping DROP

    But now I can ping and browse that test-VM fron a computer outside the network.

    The firewall is running:
    Code:
    root@pve03:/home/klowet# systemctl status pve-firewall
    ● pve-firewall.service - Proxmox VE firewall
       Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; vendor preset: enabled)
       Active: active (running) since Mon 2019-01-14 06:51:32 CET; 3h 28min ago
     Main PID: 3317 (pve-firewall)
        Tasks: 1 (limit: 4915)
       Memory: 77.6M
          CPU: 1min 3.526s
       CGroup: /system.slice/pve-firewall.service
               └─3317 pve-firewall
    
    jan 14 06:51:31 pve03 systemd[1]: Starting Proxmox VE firewall...
    jan 14 06:51:32 pve03 pve-firewall[3317]: starting server
    jan 14 06:51:32 pve03 systemd[1]: Started Proxmox VE firewall.
    root@pve03:/home/klowet# pve-firewall status
    Status: enabled/running
     
  7. klowet

    klowet New Member

    Joined:
    Jun 22, 2018
    Messages:
    24
    Likes Received:
    0
    Oke found it: the firewall wasn't enabled on the test-VM network interface.
    But for a quick check: are my rules in my previous post ok?
     
  8. Richard

    Richard Proxmox Staff Member
    Staff Member

    Joined:
    Mar 6, 2015
    Messages:
    665
    Likes Received:
    23
    There is nothing against them - if they are ok for your needs you have to know ....
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice