why doesn´t a node have input&output policy?

[Afox]

hello proxmox-community,

i want to firewall my proxmox host and am curious about the question mentioned above.

why doesn´t a node have an option for input and output policy?

I only have one node inside the datacenter-register.

what happens if i set input policy to drop on the Datacenter? will this affect the virtual machines running on the node too?

Thanks in advance for your answer!

Regards,

Afox

PS: i will set an accept-rule for the Webinterface-Port and SSH. Is there anything else I should keep open? I usually use noVNC and don´t use SPICE (yet). where should i make the exception? on the datacenter or the node?

 

[NStorm]

What? Proxmox have both INPUT and OUTPUT rules under it's firewall settings:

what happens if i set input policy to drop on the Datacenter? will this affect the virtual machines running on the node too?

No, this goes to iptables FORWARD policy which are set up individually for each VM under their settings.

PS: i will set an accept-rule for the Webinterface-Port and SSH. Is there anything else I should keep open? I usually use noVNC and don´t use SPICE (yet). where should i make the exception? on the datacenter or the node?

You don't have to. Proxmox will automatically open the ports it needs for its operation. You just have to add rules for you own services.

 

[Afox]

hello, thanks for your reply!

What? Proxmox have both INPUT and OUTPUT rules under it's firewall settings

I meant input/output policy, not rules. If you klick on a node, go to the firewall-tab and then options there is no input/output policy. If you klick on the datacenter there is...

Proxmox will automatically open the ports it needs for its operation.

well after setting the input policy of the datacenter to drop i wasn´t able to login via https on the webinterface....

 

[JBB]

well after setting the input policy of the datacenter to drop i wasn´t able to login via https on the webinterface....

OK so this is something that I am trying to understand too.

I'm using PVE 3.4 and reading https://pve.proxmox.com/wiki/Proxmox_VE_Firewall

Before I do anything with the firewall, I need to make ABSOLUTELY SURE I undertand what the following means, because for somethig so important, it's really not clear at all:

BEWARE that proxmox < 3.4 has no default management rules active, so since default incoming policy is DROP, you have to explicitly add tcp ACCEPT rules for port 22 and 8006 before activating firewall!

I have PVE 3.4, so the above statement implies I DO NOT need to add rules for ports 22 and 8006 before activating firewall. But that doesn't seem right as the rules I see in the UI for Datacentre > Firewall > Options are:

Input policy DROP
Output policy ACCEPT

So do I understand that if I check the "Enable firewall" option at the Datacentre level, then by default I am immediately locked out of Proxmox? Or does the wiki statement above mean that in PVE 3.4, ports 22 and 8006 are in fact open by default when you enable the firewall and enabling the firewall won't instantly ruin your life?

BTW also, do I understand correctly that the firewall rules cascade? That is, if I set the Datacentre to drop port 80, then all my VMs will also drop port 80 unless I explicitly allow it at the node level?


Sorry for the confusion...

 

[Afox]

hi,
see http://forum.proxmox.com/threads/22084-proxmox-webinterface-what-ports-need-to-be-open

Datacenter firewall-settings don´t affect VM and CT firewall-settings. But you should make sure that you open SSH and the webinterface-port before enabling the datacenter-settings.

 

[JBB]

OK thanks. I might politely suggest some edits to the wiki page in that case, because frankly it's dangerously misleading at the moment.

BTW is there some reason why rules for the proxmox admin ports aren't in place by default in the datacenter settings? It just seems like a disaster waiting for anyone who enables the firewall.

 

[dietmar]

BTW is there some reason why rules for the proxmox admin ports aren't in place by default in the datacenter settings? It just seems like a disaster waiting for anyone who enables the firewall.

Because a firewall should block that for security reasons.

 

[JBB]

In theory, yes (although iptables defaults to ACCEPT, as anyone who's been curious to run sudo iptables -L on an configured system will know).

My point is that in practice for Proxmox, what on earth is the point of having a default that prevents you from accessing the very system that controls the firewall itself?

EDIT: I see now that perhaps as of PVE 3.4, a sensible default of allowing access to the UI by default might be the case. But again it's not very clear:

http://forum.proxmox.com/threads/21333-Problem-Getting-pve-firewall-to-work

"It´s not necessary to make a rule for this. It´s default."

 

[dietmar]

In theory, yes (although iptables defaults to ACCEPT, as anyone who's been curious to run sudo iptables -L on an configured system will know).

There are rules to allow access from the local network, but access from remote is blocked. Another option would be to set the default policy to 'accept'?

 

[JBB]

I see, so "pve-firewall localnet" will show the networks on which the firewall policy will allow access.

If I set the policy at the Datacentre level to in/out "accept", I assume that will that mean I will need to add a default "drop" policy at the end of the rules for my VM, is that right?

 

[dietmar]

If I set the policy at the Datacentre level to in/out "accept", I assume that will that mean I will need to add a default "drop" policy at the end of the rules for my VM, is that right?

Datacenter/Host policy is not related to VM firewall policy.