ไม่สามารถเล่นวิดีโอนี้
ขออภัยในความไม่สะดวก
How To Configure Proxmox VE Firewall
ฝัง
- เผยแพร่เมื่อ 5 ส.ค. 2024
- In this video, we show you how to configure the firewall in Proxmox VE
Unlike some other hypervisors you'll come across, Proxmox VE has a built in firewall
This can restrict access to your hypervisor without having to purchase or install any additional software
The firewall also allows you to restrict access to your virtual machines, which is especially useful if an operating system doesn't have a software firewall
But more importantly we're talking about local access such as the traffic between the VMs
This is the sort of traffic your dedicated firewall appliance doesn't see and so can't control
And this is extremely helpful because it gives us another layer of security
=============================
SUPPORT THE CHANNEL
Donate through Paypal:
paypal.me/DavidMcKone
Donate through Buy Me A Coffee:
buymeacoffee.com/dmckone
Become a monthly contributor on Patreon:
/ dmckone
Become a monthly contributor on TH-cam:
/ @techtutorialsdavidmckone
==============================
==============================
MEDIA LINKS:
Website - www.techtutorials.tv/
Twitter - / dsmckone1
Facebook - / dsmckone
Linkedin - / dmckone
Instagram - / david.mckone
==============================
Steps Taken
The firewall is disabled by default, but before you enable it, you should create rules to allow management access to your hypervisors. This is because once enabled, the hypervisor firewall will become active
Typically these should allow access to TCP port 8006 (GUI) and 22 (SSH) and if you use SPICE, port 3128
You can apply rules on individual hypervisors or for better management purposes at the Data Center level
In addition, rules should be created to allow access between the hypervisors themselves for TCP ports 8006 and 22
Although the firewall has an implicit deny rule, this does not block local management access nor does it log traffic being dropped so it is best to create an explicit deny rule as your last rule and log any hits
The firewall can then be enabled by navigating to Datacenter | Firewall | Options, selecting Firewall then clicking Edit, enabling the firewall and clicking OK
If you do lock yourself out, using console access or an SSH session if possible, you can disable the firewall entirely
nano /etc/pve/firewall/cluster.fw
Change the value to 0, then save the file
Alternatively you can stop the firewall service on a hypervisor through the CLI to regain access to that hypervisor
pve-firewall stop
Once you have fixed the problem you should then restart it
pve-firewall start
Other interfaces on the hypervisor should also restrict inbound access. A storage interface usually only needs outbound access so can drop all inbound traffic. The firewall has built in rules for cluster traffic so all inbound traffic for that interface can also be dropped
You can create an Alias to represent an IP address or entire subnet so that you can then use names instead of IP addressing in rules
Networks and hosts can also be grouped together by creating IP Sets to reduce the number of rules needed
Better still, you can consolidate rules together by creating Security Groups which you can then apply
The firewall can also be configured on virtual machines but requires the rules to be applied to each individual VM
NOTE: You can create rules for VMs at a Data Center or hypervisor level, but placing them there won't have any affect
Each VM can have its own Alias' and IP Sets, but for better management purposes you can use ones created at the Data Center level
Better still, you can apply Security Groups created at the Data Center level to a VM, meaning you only need to create one once and you can then use it on any VM
The firewall does have a built in implicit deny rule and it will block local access, but as this does not log any hits it is better to create an explicit deny rule at the end to do logging
Each hypervisor and VM has a firewall log you can check in the GUI, but you can also run the following command from the CLI
tail /var/log/pve-firewall.log
You can also find the rules for hypervisors and VMs in the /etc/pve/firewall/ folder on a hypervisor
Chapters
00:00 Intro
00:53 Overview
03:06 Enable Firewall
07:37 Fix Lock Out
10:42 Hypervisor Rules
27:03 Alias
28:30 IP Set
29:49 Security Group
34:24 Hypervisor Rules Warning
35:31 Virtual Machine Rules
45:07 Logging & Troubleshooting
Credits
LoveLife | Instrumental Prod. Blue Mango | EQMUSEQ.COM by Don Da Vinci
soundcloud.com/eqmuseq/loveli...
proxmox firewall configuration,proxmox firewall rules,proxmox firewall example,proxmox firewall cli,proxmox firewall command line,proxmox firewall settings,proxmox firewall disable,proxmox firewall best practices,proxmox firewall,configure proxmox firewall,proxmox configure firewall,proxmox setup firewall
![Proxmox Firewall Setup [Single NODE or CLUSTER] | Proxmox Home Server Series](http://i.ytimg.com/vi/lcb3d-AT5iA/mqdefault.jpg)
![บุษบา - วงชานเมือง [LiveCoverVertion] Original : เมนทอล](http://i.ytimg.com/vi/Dm81sKcd9rs/mqdefault.jpg)
If you want to learn more about Proxmox VE, this series will help you out
th-cam.com/video/sHWYUt0V-c8/w-d-xo.html
Thanks for identifying that implicit rules do not get logged. I had no idea. I'll start using global DROP rules at the end of my rules sections from now on to log what's not making it through.
Early on, some firewalls didn't even have an implicit block rule
Then we got some firewalls that log implicit rules and some that don't
Then we got a global setting to enable/disable that logging
So at some point it just became a common practice to create your own rule at the end as at least you can be sure
Just to let you know that this video was VERY HELPFUL, you cleared all my doubts, I appreciate that still exists people like you who spread the knowledge, as a young person I thank you for sharing it and making our learning curve more easier, awesome teacher!
Thanks for the feedback and good to know the video was helpful
I like to keep learning more about IT, and I'm happy to share what I find
Wow, this video is simply the best video on the Proxmox firewall that I could find on TH-cam! Thank you very much, it really helped me a lot!
Good to know the video was useful
@@TechTutorialsDavidMcKone Very useful Thank you!, Youve cleared up so many things for me personally.
This was utterly fantastic and just what I needed. Thank you so much for giving us your time and effort!
Thanks for the feedback
Good to know the video was helpful
Thanks for the video. Went through it twice and started implementing my firewall rules.
Good to know the video was helpful
It think it's a very useful security tool and it doesn't need additional software installing
Really enjoying these tutorials. Thank you for making these!
Good to know you're finding these videos to be helpful
man, you are AMAZING source of the knowledge - THANK YOU!
I think it's a really useful firewall
Granted this is all part of Linux, but Proxmox have made it so convenient to centralise your firewall rules
@@TechTutorialsDavidMcKone I installed few months ago Opensense on separated box, then PVE on another machine. I thought the outer firewall would be enough but now I see the second stage: the firewall on PVE. If I understood correctly: the outer firewall does NOT see traffic between VMs because it does not go through it, right? So in this case ONLY PVE firewall can do the job - of course: also firewall on the OS of the VM but that is even deeper and as you said: if the OS is compromised then someone can do bad things, while if the firewall is on PVE then someone shall get access to PVE itself. Am I even going right direction? thank you
@@zyghom That's basically it
It's all about layers and to me this firewall, fills a really important gap and it's all open source 😁
Thank you for taking your time to create this video sir! Wish you all the best.
Good to know the video was helpful
Very informative, thanks.
Thanks for the comment and good to know the video was helpful
thank you very usefull
Thanks for the feedback
Good to know the video was useful
¡Gracias!
Thank you very much
I would love if you could do a video on the Proxmox OVS network setup as well. BTW, I love your videos, I've been binge watching them! Cheers mate!
Currently OVS has a very low priority for me
It is on my project list but at the moment Proxmox doesn't really do anything with it that the Linux Bridge already does
There is a Software Defined Network project that's been ongoing for a while for Proxmox but it's still in an experimental phase and I've yet to look into it
For now my focus is on automation, management and monitoring
@@TechTutorialsDavidMcKone Thanks for the reply... cheers!
thanks for the video. was very useful. i did try to firewall at a "host" level the secondary adapter so that all VM's i put into that adapter were limited to internet only (no LAN) so that i effectively create a DMZ on my lan), however it seemed to ignore the rulesets completely whether i specificed the interface name (or vmbr1 virtual name) or put in specific IP's or not... it only blocked access if i set "vm" level firewall rules per vm. a bit annoying, but it can work. it may be that proxmox cannot filter that interface traffic unless it hits the vm directly (as it doesnt have an IP on that interface at all and only has an IP on its own mgmt interface (seperate nic)).
Based on observation I found that you can only firewall VMs when you assign rules to the VM itself
Any rules you apply to a host just get ignored by the VM
Defining security groups at a Data Center level and applying those to a VM certainly helps reduce the admin work
And with a bit of automation it could be made easier I suppose
It does seem odd to me, but in the grand scheme of things I think it makes security so much easier
For me, this firewall is there to restrict VM to VM traffic when it's in the same network, similar to what a software firewall would do on a computer because a dedicated firewall would never see that traffic
But I still use a dedicated firewall to restrict traffic between networks
Awesome video.. Watched a few of your videos now and just wanted to say thanks for sharing... Would love to see a video about Ceph if you have any experience of it?
Plus you remind me of Phil Mitchell 😅
I'm not planning to cover Ceph for some time unfortunately
Hard Drives are not cheap these days but my servers will also need a controller and cables
So for now I'm just using NFS on TrueNAS
The first time someone told me I looked like Mr Mitchel, I was actually in the London area doing work
I had no idea who they meant so I had to look it up
I can see the resemblance 😀
@@TechTutorialsDavidMcKone cant say I watch Eastenders anymore 😀 thanks again for the videos, really enjoying them
I'm pretty sure you don't need to add a "Drop" rule as the firewall will drop any traffic by default that not implicitly allowed.
Yes there will be a drop rule lurking in the background
Although there are other rules going on that you don't see either
I add an explicit rule out of habit as I'm used to firewalls which show a hit counter against every rule you create and that's very useful when you're troubleshooting or just setting up a firewall
These ones don't but I like to have a quick way to see if traffic is being dropped so I just do this on all firewalls regardless
I also find it easier if I want to alter the logging of dropped traffic
According to the documentation, logging of dropped traffic is disabled by default
But with user rules it's at your own discretion
In some companies, everything is logged and sent off for analysis
In others, it's only turned on when troubleshooting, etc
So it's another reason I add a drop rule out of habit
Playback speed 1.5 needed as per usual
.
An interesting speed, but as long as the video is helpful
@@TechTutorialsDavidMcKone i think it mostly has to do with knowing 90% of what is going to be said i'm looking for that 10% i don't know in most videos. the slow deliberate cadence makes my brain explode waiting on the next word, with playback at 1.5 its much more steady flow on information. i know a lot of guys in the field like this.
Great tutorial as always, can’t help it but think that it would be easier to deploy a robust firewall like pfsense/opnsense on an interface other than mgmt interface and control all access, including management interface through it 🤓
When computers are in the same subnet they talk directly to each other, so a typical firewall appliance would never see that conversation and so can't control it
Transparent or Layer 2 firewalls are rarely used because they lack important features
So typically Layer 3/4 firewalls like pfSense are deployed to restrict remote computers from accessing the hypervisor and the VMs it runs
But it needs either personal firewalls on each VM or a firewall feature like this to restrict traffic between the VMs for instance
It's an important security goal to try and restrict hackers who'll try to traverse from one computer to another when a computer is compromised
It also can be used to try and stop someone plugging a computer into a local network to try and gain access to the hypervisor or a VM which is extremely useful for areas that can't be physically secured
So as shown, I used this firewall to stop a computer accessing a web server in its local network, but allowed the remote computer to still use it as intended
The alternative would have been to install UFW in this case but I have VMs that don't have personal firewall software which makes this firewall option extremely useful
Thank you for this detailed and interesting content. I'm comparing to esxi and nsx. Proxmox seems quite nice. Normal playback speed works for me 😀
Adding the Open vSwitch will certainly help as it brings VXLAN and OpenFlow to the mix