Setting up HOST only firewalls in my cluster

[GodZone]

I am trying to setup the pve firewall so that the rules only impact the cluster hosts them selves and not any of the VMs which are already behind their own firewalls.

I have added my networks to the 'management' IP-Set, I have turned on the firewall at the Data Centre level. The INPUT Policy is DROP the Output Policy is ACCEPT.

When I turn on the firewall on the individual hosts, I almost immediately find that some of the VM services stop working and I typically lose access to the host via the Web UI.

I don't understand what I am doing wrong and would really like to be able to restrict access to the hosts to get on top of the continuous SSH probing etc.

 

[sg90]

Make sure you have the firewall disabled/unticked on the VM NICs.

Then the rules will only be applied to the hosts

 

[GodZone]

None of the VMs have the firewall option on the NIC checked, the VM Firewalls are all set to NO.

I am really confused. My goal is to have clusterwide rules that limit access to the hosts but allow full access to the VMs. But I cant work out how to do this as turning on the firewall at both the cluster and host level impacts the VMs.

BTW: Am running 6.1.5 on all nodes.

 

[GodZone]

I am wondering whether what I should be doing is to set the DataCentre policy to INPUT: ALLOW and then to create an IPSet for the hosts and then create specific rules that drop all traffic to the hosts (except the management IPset). I am also experimenting with /etc/hosts.allow to at least block SSH from unwanted sources.