VM will loose connectivity if datacenter firewall is enabled / howto setup anti ip spoofing

[layer7.net]

Hi,

# cat firewall/112.fw
[OPTIONS]

enable: 1
dhcp: 0
ipfilter: 1
macfilter: 1

[IPSET ipfilter-net0]

192.168.1.200
192.168.1.201

in combination with:

# cat firewall/cluster.fw
[OPTIONS]

enable: 1
policy_in: ACCEPT

root@n1:/etc/pve#

Will not work. So this VM will loose IP connectivity.

The question would be how to debug this further.

iptables --list

will show at no point any rules about 192.168.1.200 or .201

So the question is how to configure this properly as there must be something cruicial missing.

The available documentation at

pve_firewall_ipfilter_section

is known.

/etc/pve/nodes/<nodename>/host.fw is at no point created.

PVE version is:

pve-manager/7.2-4/ca9d43cc (running kernel: 5.15.35-1-pve)

So the goal is in general just to setup IP based and mac based anti ip spoofing.

Thank you!

Greetings
Oliver

 

[spirit]

do you have setup "policy_in: ACCEPT" for the vm too ?

default is : in ROP , out: ACCEPT"

 

[layer7.net]

do you have setup "policy_in: ACCEPT" for the vm too ?

default is : in ROP , out: ACCEPT"

Hi,

thank you for your advice!

And yes this does in general solve the problem the VMs loosing IP connectivity.

But it will not help activating anti ip spoof.

With this settings:

Datacenter Firewall:

Input / Output Policy = ACCEPT
Firewall = Yes
ebtables = Yes



Hostnode Firewall:

Firewall = Yes
DHCP = No
NDP = Yes
Router Advertisment = No
MAC filter = Yes
IP filter = Yes
Input / Output Policy = Accept



Qemu VM Firewall:

Firewall = Yes
DHCP = No
NDP = Yes
Router Advertisment = No
MAC filter = Yes
IP filter = Yes
Input / Output Policy = Accept

IPSet:

ipfilter-net0 with 192.168.1.200 and 192.168.1.201 listed.

Firewall is enabled on the net0 NIC.

----------

still, if i add 192.168.1.202 ( or any other IP ) this IPs can freely communicate with the network, which should be not possible actually.

Proxmox did set the ipset:

Name: PVEFW-169-ipfilter-net0-v4
Type: hash:net
Revision: 7
Header: family inet hashsize 64 maxelem 64 bucketsize 12 initval 0x27c619cf
Size in memory: 648
References: 1
Number of entries: 2
Members:
192.168.1.200
192.168.1.201

​

So somewhere seems to be missing.

 

[spirit]

do you have enabled firewall at at vm nic level too ?

 

[layer7.net]

Hi,

yes

Firewall is enabled on the net0 NIC.

Maybe this whole thing is not working this way to put the datacenter on accept all. Maybe it has to be put on deny and then host/vm wise be opened. But unfortunatelly i can not find any documentation about details how this all concept is actually working.