Using PVE 3.4 I'm trying to block all traffic to/from IP addresses on a specific VM on its eth0 (it has a number of IPs on that NIC), apart from one IP address that needs to be allowed (for all ports).
I'm putting the following in /etc/pve/firewall/<vmid>.fw
But it has no effect.
The node's firewall is off, if that makes any difference.
Does anyone have any ideas?
EDIT: I've set log levels for in and out to debug - but there's nothing in the logs. That can't be right, can it?
EDIT: OK so I was getting confused between a "cluster" and a "node" - each have separate fw settings, AND you need to enable the fw on the NIC at the VM level. Checkbox city!
So now the fw is working (and I see debug messages), I still can't work out how to limit traffic to one IP on the guest and block all others.
I'm putting the following in /etc/pve/firewall/<vmid>.fw
Code:
[OPTIONS]
enable: 1
policy_out: DROP
policy_in: DROP
[RULES]
OUT ACCEPT -i net0 -source 92.x.x.25
IN ACCEPT -i net0 -dest 92.x.x.25But it has no effect.
The node's firewall is off, if that makes any difference.
Does anyone have any ideas?
EDIT: I've set log levels for in and out to debug - but there's nothing in the logs. That can't be right, can it?
EDIT: OK so I was getting confused between a "cluster" and a "node" - each have separate fw settings, AND you need to enable the fw on the NIC at the VM level. Checkbox city!
So now the fw is working (and I see debug messages), I still can't work out how to limit traffic to one IP on the guest and block all others.
Last edited: