When can we expect a Firewall Feature in V2?

R

rootkid

Member
Jul 2, 2010
45
1
8
Dear Proxmox Staff,

thank you very much for creating this really cool software. I currently have v1.8 in use but managed to get a testing system for 2.0 today. Installation went smooth as expected, but i was really sad whe i had to realize there's no firewall feature included. At first i couldn't believe it but this thread let no doubt: http://forum.proxmox.com/threads/6279-Proxmox-VE-2-x-firewall-option?highlight=Firewall

Now i have to decide if i migrate to v2.0 and rebuild my shorewall setup or else wait for a proxmox release with firewall features (including NAT, etc.).
Do you already have any idea when such features will be released?
Or maybe you already decided to implement that features with the help of shorewall so i don't need to redesign again?

Best regards,
Heiner
 
2.0 comes with a fully functioning iptables implementation so implementing a firewall is there at your hands. CLI only, though.
 
mir said:
2.0 comes with a fully functioning iptables implementation so implementing a firewall is there at your hands. CLI only, though.
Click to expand...

Yes, i know that. same with older versions. This is where shorewall is placed on top. But it doesn't answer my question :(
 
Personally.... This should never be the function of the hyper visor. :)


Sent from my iPhone using Tapatalk
 
Except in one specific situation. When adding a venet to a VM you can assign any IP you like but unless the hyper visor implements some NAT'ing you will not be able to make any outgoing connections unless the IP you assigned to the VM is on the same network as one of your bridge or bond interfaces.
 
Are you describing a multi-tenant situation where you have completely separate networks on the same node (like a 10.x.x.x and a 192.x.x.x) and cannot dedicate specific NICs per network? You could run Vyatta, PFSense or, M0n0Wall in a VM on each node and route before the NIC with private virtual bridge or virtual ethernet devices (an edge NAT, VPN trunk, routing tables, etc.). http://www.linux-kvm.org/page/Networking

You could even separate identical overlapping IP spaces this way on the same node.

Or you could route outside the nodes (which would probably be more robust and simpler) with an actual router. Pick up a Cisco 2800 series or an ASA 5510 if you want some beefier.
 
Last edited by a moderator:
charnov said:
Are you describing a multi-tenant situation where you have completely separate networks on the same node (like a 10.x.x.x and a 192.x.x.x) and cannot dedicate specific NICs per network? You could run Vyatta, PFSense or, M0n0Wall in a VM on each node and route before the NIC with private virtual bridge or virtual ethernet devices (an edge NAT, VPN trunk, routing tables, etc.). http://www.linux-kvm.org/page/Networking

You could even separate identical overlapping IP spaces this way on the same node.

Or you could route outside the nodes (which would probably be more robust and simpler) with an actual router. Pick up a Cisco 2800 series or an ASA 5510 if you want some beefier.
Click to expand...
No, I am describing this situation:
1) vmbr0(192.168.4.2/24) --- venet0
2) Create a CT (vm01) and assign IP to venet0 - say 192.168.5.2/24
3) In default setup vm01 will not be able to connect to the outside world since no route exists from outside world to 192.168.5.2/24. For the world request coming from 192.168.5.2 will have source address to 192.168.4.2.
4) 192.168.4.2 will reject response from outside world since this response is not related to any connection on 192.168.4.2.

To fix this a rule must be add to iptables so that all outgoing connections fra vm01 is NAT'ed via 192.168.4.2. This rule is a follows:
iptables -t nat -A POSTROUTING -o vmbr0 -j SNAT --to-source 192.168.4.2.

Eg. for successfully making any connections via venet0 to the outside world one of this two rules must be fulfilled:
1) the CT created VM must have an IP assigned to the same subnet as the hyper visors bridge (eg. vmbro -> 192.168.2.0)
or
2) An iptables NAT rule must be created like the one above
 
I my case there's one Server that is housed in a remote datacenter, currently managing about 10 VMs (both KVM and OpenVZ).
It is connected via 2 NICs and 1 remote management interface.
I use bonding so i have a redundant link.
I have no need for a hardware firewall because it's to expensive for my use.

Some of my VMs have own dedicated (official routed) IPs, others only have private IPs and have to share official IPs.
So i have to use a combination of ProxyARP and NAT.
I think this is best done on my hardware host, because that's where all the traffic comes in and i expect it to be much more performant than routing all traffic to a VM, scan/filter it and then route it all back to where it should go.
At the moment i use shorewall on my proxmox 1.8 host, and it seems it still is the best solution for proxmox 2, too, right?

For small environments like mine an official routing/firewalling feature supporting ProxyARP and NAT surely would be a great thing.

Any Feedback appreciated!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back