WebGUI for firewall - need some help

[pgis]

I'm looking to implement a firewall in a cluster of 3 nodes and found myself confused with the WebGUI and have skimmed the documentation here:
https://pve.proxmox.com/pve-docs/chapter-pve-firewall.html

each of my nodes have 3 NICs and I plan to seperate the networks over nics:
- nic1 web management
- nic2 cluster
- nic3 glusterfs

I need to build all of the rules for each of these networks and started using iptables then read that it's a bad idea to not use pve's firewall... so here I am.

If I wanted to simply allow all traffic from a specific IP how would I do that with the WebUI?


do I just leave the rest blank?

do I have to use the CLI with a file? looks like if I add a rule it shows up in /etc/pve/nodes/<nodename>/host.fw

IN ACCEPT -i enp11s0f0 -source 10.0.0.2 -log nolog

is this the same format as iptables documented here?
https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-rg-en-4/s1-iptables-options.html

there are a few examples in the link I dropped above, does anyone know where I can find more? either CLI or WebGUI?

thanks!

edit: im not so sure this works since my pings still arent making it through...

edit2: perhaps this is the issue from iptables -nL output:

REJECT     udp  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
REJECT     icmp --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-unreachable

if this is in the default config how do you go about editing this in a persistent fashion?

edit3: why does the entry show up ad RETURN rule when I selecte ACCEPT?

 

[pgis]

the only thing I was able to get to work were pings by using the macro and setting both in and out rules on all nodes.

I tried setting ACCEPT rules (in and out) by interface (only) and the service of interest (in this test it was glusterfs) was unable to communicate.

I also tried setting rules by IP between the nodes, which also didnt work.

I have turned the firewalls off on the nodes so I can prevent further hair loss and rebuild some confidence in my computering skills with other tasks before I attempt this again...

 

[spirit]

edit3: why does the entry show up ad RETURN rule when I selecte ACCEPT?

This is because, proxmox check iptables rules for both direction, for both source and destination.

for example, if you filtering between 2 vms,

the source vm have OUT ACCEPT and destination have IN REJECT.

if you do an iptables rules with ACCEPT, the destination REJECT will never be applied.

This is the same with host to vm.

 

[pgis]

This is because, proxmox check iptables rules for both direction, for both source and destination.

for example, if you filtering between 2 vms,

the source vm have OUT ACCEPT and destination have IN REJECT.

if you do an iptables rules with ACCEPT, the destination REJECT will never be applied.

This is the same with host to vm.

I was editing the firewall at the node level and had the equivelant rules in place on the adjacent nodes-

where
10.0.0.1 was set to accept from 10.0.0.2 and 10.0.0.3
10.0.0.2 was set to accept from 10.0.0.1 and 10.0.0.3
10.0.0.3 was set to accept from 10.0.0.1 and 10.0.0.2

I also tried just accepting all on the interface that these nodes are on and that didnt even work... I had to turn the firewalls off entirely to get anything to work (other than pings since there's a macro for that)

thanks

edit: I also read that manually changing the iptables state was risky, and that you should use the PVE firewall editor to make sure that updates and PVE backups etc retain your FW config data...