Use external sources in Proxmox firewall

You can use 'ipset' ('man ipset') to do that.
 
Hi,

The best way, is to use some kind of rules on your upstrem border router and not at proxmox level. If you can not do this, and you must use PMX nodes(and is ok for you if you will not block the input, but only the output) then you can do like this:

- install ospf on all of your nodes, and make a simple script who can import your black lists in ospf as a NULL route (only on a single node, and ospf will export to all other nodes)
- even better you can setup fail2ban to also use a null route for bad guys and then ospf will export almost instant this info to rest of the nodes
- the main advantage using this is that route table have cache (firewall do not have this)
- you do not need to import your black list on each proxmox node
- as a general rule, you can use any black-list tool, and import one time for all of your infrastructure
- iptables/firewall will eat more cpu/ram because it will need to process any new connection at least for the same IP

Each variant have pro and con.

Good luck.
 
guletz said:
Hi,

The best way, is to use some kind of rules on your upstrem border router and not at proxmox level. If you can not do this, and you must use PMX nodes(and is ok for you if you will not block the input, but only the output) then you can do like this:

- install ospf on all of your nodes, and make a simple script who can import your black lists in ospf as a NULL route (only on a single node, and ospf will export to all other nodes)
- even better you can setup fail2ban to also use a null route for bad guys and then ospf will export almost instant this info to rest of the nodes
- the main advantage using this is that route table have cache (firewall do not have this)
- you do not need to import your black list on each proxmox node
- as a general rule, you can use any black-list tool, and import one time for all of your infrastructure
- iptables/firewall will eat more cpu/ram because it will need to process any new connection at least for the same IP

Each variant have pro and con.

Good luck.
Click to expand...
Thanks guletz,
any recommendation you have for specific tool?
maybe some pfsense gateway?
something else?

Regards,
 
Hi,

Yes pfsense is a well known tool. But I prefer another aprouch :

- use a hardware border firewall (ospf capable, dynamic firewall rules, capable to import various black lists with > 30.000 ips, and very cheap also)
- on the pmx level I use a very simple firewall + ospf .

The ideea is that to use 2 different kind of firewalls at the same time.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back