Using proxmox firewall. How does it work? How does it work with bridge?

E

exp

Member
Jul 20, 2023
20
0
6
I am currently not using proxmox firewall. I have a single vlan aware bridge vmbr0 and all VMs/CTs use it along with a VLAN tag (or none, if they need access to all VLANs such as a virtual router).

If I were to enable the firewall, what would happen? What would happen to my bridge and where would the firewall be exactly inserted? Would it be ebtables rules or iptables rules? And in the latter case, how? It would need to different L2 networks...

The reason why I am asking and why I am so confused about it is that even if I add a new network interface to my VMs or CTs, it seems I can always only add bridged interfaces:

1733355387985.png

1733355448737.png




Lastly, I also note that I have some networks where I definitely need to preserve the addressing. For example, I have a public /28 which some VMs use. Is it still possible to use the proxmox firewall in those instances (e.g. via ebtables or some sort of NAT)?
 
Depends on if you're using pve-firewall (ip(6)tables / ebtables) or the newer proxmox-firewall (nftables). The older firewall utilizes all xtables tools, depending on the feature. IPv4 filtering is done via iptables, IPv6 via ip6tables, MAC filtering via ebtables. The firewall differentiates by using the interface names, which follow a specific schema.

The Host / Datacenter level firewall will hook at the same points for both, INPUT & OUTPUT chains.
For the VM level firewall, the old firewall will use the FORWARD chain and the physdev module. The nftables firewall utilizes the bridge table of nftables and hooks there at PREROUTING (for outgoing VM traffic) and POSTROUTING (for incoming VM traffic). There's also the option of defining a firewall at VNet level with SDN, this utilizes the FORWARD hook of the bridge table.

A good illustration of the different netfilter chain types can be found here [1].

You can always check the generated iptables commands via iptables-save. If you're using the newer firewall you can use nft list ruleset

exp said:
Lastly, I also note that I have some networks where I definitely need to preserve the addressing. For example, I have a public /28 which some VMs use. Is it still possible to use the proxmox firewall in those instances (e.g. via ebtables or some sort of NAT)?
Click to expand...
yes, you can use any IPs with the firewall - not sure what exactly you mean here.

[1] https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
 
You must log in or register to reply here.
Top Bottom