Secure vm network

P

proxuser948

New Member
Jun 20, 2017
4
0
1
54
I'm dealing with only one big static IP-pool. We have mostly public webservers (and often control panels), so little private IPs and only public static IPs in the vm-environment.

For testing, I have set up LXC containers on vmbr0.

My concern is that some guest inside an LXC might want to hack servers or internal services (or a weakness in an app for that case). We have a dedicated fw before our network of course, but here we would have some clients on LXC (inside it) - and we can't easly vlan it in transparent fw mode from what I have been told. So they (the LXC guests) would in fact be inside our fw and can connect to every port.

Most servers have software fw inside there again. Is there a way to maybe at least deny connections to a defined set of IPs (outoing from the LXC)? I can set it up on the LXC-container through the GUI of course and that works, but this can just be disabled or removed by the user.

I tried to define fw at cluster and datacenter level, but that doesn't impact the LXC from what I have been able to test quickly.
 
proxuser948 said:
My concern is that some guest inside an LXC might want to hack servers or internal services
Click to expand...
proxuser948 said:
I can set it up on the LXC-container through the GUI of course and that works, but this can just be disabled or removed by the user.
Click to expand...

how can a hacker inside a container change the firewall settings of the proxmox gui? he would have to gain access to the proxmox host and know login credentials with the appropriate rights
 
I'm talking about a registered user that has been assigned an LXC-container. He/She can disable the firewall or change the rules (for his container). From there, a registered users with evil intentions (or a hacker that hacks this users container) has access to other physical servers on the same network.

If I could enforce global rules at the host - so that no guests (container) can connect to given IPs inside the same network, it would have helped somewhat. From what I have read in documentation, it seems like it is not possible.
 
you can restrict access of the users to not include the VM.Config.Network Privilege, then the user cannot edit any network settings of vms/containers
 
That would remove their options for editing their own firewall-rules I guess? I was hoping for a solution where there is some ground rules to begin with and they could only build on top on those rules.

My only option I know of now is to physically put a firewall on my local network betweeen the Proxmox-server and the rest of the network. It will allow all non-local traffic.

Would it be possible to run a cron-job that adds fw-rules to to all LXC-guests? So that if a user removes the rules, it will be added just a minute later again. It would need to be a job running on the ProxMox host.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back