Excellent guide, I couldn't quite follow along, as our setups are different, but you gave me just enough knowledge to troubleshoot an issue. I think I may have followed blindly along with another tutorial elsewhere and changed datacentre>options>policy levels to drop for both inbound and outbound traffic, and no amount of rule changing elsewhere would overcome it, lots of going back and forth between machines to stop the firewale and regain remote access, I was about to throw in the towel and changed them to accept, then set some drop rules elsewhere and it worked like a treat! There was another issue where you were advising to tweak the vmbr0 interface, which my VMs are running on, but I wasn't having luck with that, then I had a brainwave to try ethernet port to gain GUI access and it worked. I have been struggling to isolate a VM which I intend to open ports to the net and now I can finally make those steps. Hurrah!
Just to let you know that this video was VERY HELPFUL, you cleared all my doubts, I appreciate that still exists people like you who spread the knowledge, as a young person I thank you for sharing it and making our learning curve more easier, awesome teacher!
Thanks for identifying that implicit rules do not get logged. I had no idea. I'll start using global DROP rules at the end of my rules sections from now on to log what's not making it through.
Early on, some firewalls didn't even have an implicit block rule Then we got some firewalls that log implicit rules and some that don't Then we got a global setting to enable/disable that logging So at some point it just became a common practice to create your own rule at the end as at least you can be sure
Thank you very much for the video. I'm not familiar with network and I was always afraid to activate the firewall in proxmox. I just started and thanks to you, it went well.
Good to know the video was helpful It's a very useful firewall to have as you can protect your VMs from other devices in the same network as the main firewall can't do anything about that type of traffic And you don't need to install additional software either :)
@@TechTutorialsDavidMcKone I installed few months ago Opensense on separated box, then PVE on another machine. I thought the outer firewall would be enough but now I see the second stage: the firewall on PVE. If I understood correctly: the outer firewall does NOT see traffic between VMs because it does not go through it, right? So in this case ONLY PVE firewall can do the job - of course: also firewall on the OS of the VM but that is even deeper and as you said: if the OS is compromised then someone can do bad things, while if the firewall is on PVE then someone shall get access to PVE itself. Am I even going right direction? thank you
thanks for the video. was very useful. i did try to firewall at a "host" level the secondary adapter so that all VM's i put into that adapter were limited to internet only (no LAN) so that i effectively create a DMZ on my lan), however it seemed to ignore the rulesets completely whether i specificed the interface name (or vmbr1 virtual name) or put in specific IP's or not... it only blocked access if i set "vm" level firewall rules per vm. a bit annoying, but it can work. it may be that proxmox cannot filter that interface traffic unless it hits the vm directly (as it doesnt have an IP on that interface at all and only has an IP on its own mgmt interface (seperate nic)).
Based on observation I found that you can only firewall VMs when you assign rules to the VM itself Any rules you apply to a host just get ignored by the VM Defining security groups at a Data Center level and applying those to a VM certainly helps reduce the admin work And with a bit of automation it could be made easier I suppose It does seem odd to me, but in the grand scheme of things I think it makes security so much easier For me, this firewall is there to restrict VM to VM traffic when it's in the same network, similar to what a software firewall would do on a computer because a dedicated firewall would never see that traffic But I still use a dedicated firewall to restrict traffic between networks
Yes there will be a drop rule lurking in the background Although there are other rules going on that you don't see either I add an explicit rule out of habit as I'm used to firewalls which show a hit counter against every rule you create and that's very useful when you're troubleshooting or just setting up a firewall These ones don't but I like to have a quick way to see if traffic is being dropped so I just do this on all firewalls regardless I also find it easier if I want to alter the logging of dropped traffic According to the documentation, logging of dropped traffic is disabled by default But with user rules it's at your own discretion In some companies, everything is logged and sent off for analysis In others, it's only turned on when troubleshooting, etc So it's another reason I add a drop rule out of habit
Currently OVS has a very low priority for me It is on my project list but at the moment Proxmox doesn't really do anything with it that the Linux Bridge already does There is a Software Defined Network project that's been ongoing for a while for Proxmox but it's still in an experimental phase and I've yet to look into it For now my focus is on automation, management and monitoring
Awesome video.. Watched a few of your videos now and just wanted to say thanks for sharing... Would love to see a video about Ceph if you have any experience of it? Plus you remind me of Phil Mitchell 😅
I'm not planning to cover Ceph for some time unfortunately Hard Drives are not cheap these days but my servers will also need a controller and cables So for now I'm just using NFS on TrueNAS The first time someone told me I looked like Mr Mitchel, I was actually in the London area doing work I had no idea who they meant so I had to look it up I can see the resemblance 😀
@@TechTutorialsDavidMcKone i think it mostly has to do with knowing 90% of what is going to be said i'm looking for that 10% i don't know in most videos. the slow deliberate cadence makes my brain explode waiting on the next word, with playback at 1.5 its much more steady flow on information. i know a lot of guys in the field like this.
Great tutorial as always, can’t help it but think that it would be easier to deploy a robust firewall like pfsense/opnsense on an interface other than mgmt interface and control all access, including management interface through it 🤓
When computers are in the same subnet they talk directly to each other, so a typical firewall appliance would never see that conversation and so can't control it Transparent or Layer 2 firewalls are rarely used because they lack important features So typically Layer 3/4 firewalls like pfSense are deployed to restrict remote computers from accessing the hypervisor and the VMs it runs But it needs either personal firewalls on each VM or a firewall feature like this to restrict traffic between the VMs for instance It's an important security goal to try and restrict hackers who'll try to traverse from one computer to another when a computer is compromised It also can be used to try and stop someone plugging a computer into a local network to try and gain access to the hypervisor or a VM which is extremely useful for areas that can't be physically secured So as shown, I used this firewall to stop a computer accessing a web server in its local network, but allowed the remote computer to still use it as intended The alternative would have been to install UFW in this case but I have VMs that don't have personal firewall software which makes this firewall option extremely useful
![Proxmox Firewall Setup [Single NODE or CLUSTER] | Proxmox Home Server Series](http://i.ytimg.com/vi/lcb3d-AT5iA/mqdefault.jpg)
If you want to learn more about Proxmox VE, this series will help you out
th-cam.com/video/sHWYUt0V-c8/w-d-xo.html
Excellent guide, I couldn't quite follow along, as our setups are different, but you gave me just enough knowledge to troubleshoot an issue.
I think I may have followed blindly along with another tutorial elsewhere and changed datacentre>options>policy levels to drop for both inbound and outbound traffic, and no amount of rule changing elsewhere would overcome it, lots of going back and forth between machines to stop the firewale and regain remote access, I was about to throw in the towel and changed them to accept, then set some drop rules elsewhere and it worked like a treat!
There was another issue where you were advising to tweak the vmbr0 interface, which my VMs are running on, but I wasn't having luck with that, then I had a brainwave to try ethernet port to gain GUI access and it worked.
I have been struggling to isolate a VM which I intend to open ports to the net and now I can finally make those steps. Hurrah!
Wow, that sounded like a real struggle
Good to know it was all resolved
It's a very useful firewall though once it's up an running as intended
Just to let you know that this video was VERY HELPFUL, you cleared all my doubts, I appreciate that still exists people like you who spread the knowledge, as a young person I thank you for sharing it and making our learning curve more easier, awesome teacher!
Thanks for the feedback and good to know the video was helpful
I like to keep learning more about IT, and I'm happy to share what I find
Thanks for identifying that implicit rules do not get logged. I had no idea. I'll start using global DROP rules at the end of my rules sections from now on to log what's not making it through.
Early on, some firewalls didn't even have an implicit block rule
Then we got some firewalls that log implicit rules and some that don't
Then we got a global setting to enable/disable that logging
So at some point it just became a common practice to create your own rule at the end as at least you can be sure
Thank you very much for the video. I'm not familiar with network and I was always afraid to activate the firewall in proxmox. I just started and thanks to you, it went well.
Good to know the video was helpful
It's a very useful firewall to have as you can protect your VMs from other devices in the same network as the main firewall can't do anything about that type of traffic
And you don't need to install additional software either :)
Wow, this video is simply the best video on the Proxmox firewall that I could find on TH-cam! Thank you very much, it really helped me a lot!
Good to know the video was useful
@@TechTutorialsDavidMcKone Very useful Thank you!, Youve cleared up so many things for me personally.
Thanks for the video. Went through it twice and started implementing my firewall rules.
Good to know the video was helpful
It think it's a very useful security tool and it doesn't need additional software installing
This was utterly fantastic and just what I needed. Thank you so much for giving us your time and effort!
Thanks for the feedback
Good to know the video was helpful
Really enjoying these tutorials. Thank you for making these!
Good to know you're finding these videos to be helpful
man, you are AMAZING source of the knowledge - THANK YOU!
I think it's a really useful firewall
Granted this is all part of Linux, but Proxmox have made it so convenient to centralise your firewall rules
@@TechTutorialsDavidMcKone I installed few months ago Opensense on separated box, then PVE on another machine. I thought the outer firewall would be enough but now I see the second stage: the firewall on PVE. If I understood correctly: the outer firewall does NOT see traffic between VMs because it does not go through it, right? So in this case ONLY PVE firewall can do the job - of course: also firewall on the OS of the VM but that is even deeper and as you said: if the OS is compromised then someone can do bad things, while if the firewall is on PVE then someone shall get access to PVE itself. Am I even going right direction? thank you
@@zyghom That's basically it
It's all about layers and to me this firewall, fills a really important gap and it's all open source 😁
¡Gracias!
Thank you very much
Very informative, thanks.
Thanks for the comment and good to know the video was helpful
thanks for the video. was very useful. i did try to firewall at a "host" level the secondary adapter so that all VM's i put into that adapter were limited to internet only (no LAN) so that i effectively create a DMZ on my lan), however it seemed to ignore the rulesets completely whether i specificed the interface name (or vmbr1 virtual name) or put in specific IP's or not... it only blocked access if i set "vm" level firewall rules per vm. a bit annoying, but it can work. it may be that proxmox cannot filter that interface traffic unless it hits the vm directly (as it doesnt have an IP on that interface at all and only has an IP on its own mgmt interface (seperate nic)).
Based on observation I found that you can only firewall VMs when you assign rules to the VM itself
Any rules you apply to a host just get ignored by the VM
Defining security groups at a Data Center level and applying those to a VM certainly helps reduce the admin work
And with a bit of automation it could be made easier I suppose
It does seem odd to me, but in the grand scheme of things I think it makes security so much easier
For me, this firewall is there to restrict VM to VM traffic when it's in the same network, similar to what a software firewall would do on a computer because a dedicated firewall would never see that traffic
But I still use a dedicated firewall to restrict traffic between networks
Thank you for taking your time to create this video sir! Wish you all the best.
Good to know the video was helpful
I'm pretty sure you don't need to add a "Drop" rule as the firewall will drop any traffic by default that not implicitly allowed.
Yes there will be a drop rule lurking in the background
Although there are other rules going on that you don't see either
I add an explicit rule out of habit as I'm used to firewalls which show a hit counter against every rule you create and that's very useful when you're troubleshooting or just setting up a firewall
These ones don't but I like to have a quick way to see if traffic is being dropped so I just do this on all firewalls regardless
I also find it easier if I want to alter the logging of dropped traffic
According to the documentation, logging of dropped traffic is disabled by default
But with user rules it's at your own discretion
In some companies, everything is logged and sent off for analysis
In others, it's only turned on when troubleshooting, etc
So it's another reason I add a drop rule out of habit
I would love if you could do a video on the Proxmox OVS network setup as well. BTW, I love your videos, I've been binge watching them! Cheers mate!
Currently OVS has a very low priority for me
It is on my project list but at the moment Proxmox doesn't really do anything with it that the Linux Bridge already does
There is a Software Defined Network project that's been ongoing for a while for Proxmox but it's still in an experimental phase and I've yet to look into it
For now my focus is on automation, management and monitoring
@@TechTutorialsDavidMcKone Thanks for the reply... cheers!
Awesome video.. Watched a few of your videos now and just wanted to say thanks for sharing... Would love to see a video about Ceph if you have any experience of it?
Plus you remind me of Phil Mitchell 😅
I'm not planning to cover Ceph for some time unfortunately
Hard Drives are not cheap these days but my servers will also need a controller and cables
So for now I'm just using NFS on TrueNAS
The first time someone told me I looked like Mr Mitchel, I was actually in the London area doing work
I had no idea who they meant so I had to look it up
I can see the resemblance 😀
@@TechTutorialsDavidMcKone cant say I watch Eastenders anymore 😀 thanks again for the videos, really enjoying them
thank you very usefull
Thanks for the feedback
Good to know the video was useful
Playback speed 1.5 needed as per usual
.
An interesting speed, but as long as the video is helpful
@@TechTutorialsDavidMcKone i think it mostly has to do with knowing 90% of what is going to be said i'm looking for that 10% i don't know in most videos. the slow deliberate cadence makes my brain explode waiting on the next word, with playback at 1.5 its much more steady flow on information. i know a lot of guys in the field like this.
Great tutorial as always, can’t help it but think that it would be easier to deploy a robust firewall like pfsense/opnsense on an interface other than mgmt interface and control all access, including management interface through it 🤓
When computers are in the same subnet they talk directly to each other, so a typical firewall appliance would never see that conversation and so can't control it
Transparent or Layer 2 firewalls are rarely used because they lack important features
So typically Layer 3/4 firewalls like pfSense are deployed to restrict remote computers from accessing the hypervisor and the VMs it runs
But it needs either personal firewalls on each VM or a firewall feature like this to restrict traffic between the VMs for instance
It's an important security goal to try and restrict hackers who'll try to traverse from one computer to another when a computer is compromised
It also can be used to try and stop someone plugging a computer into a local network to try and gain access to the hypervisor or a VM which is extremely useful for areas that can't be physically secured
So as shown, I used this firewall to stop a computer accessing a web server in its local network, but allowed the remote computer to still use it as intended
The alternative would have been to install UFW in this case but I have VMs that don't have personal firewall software which makes this firewall option extremely useful
Thank you for this detailed and interesting content. I'm comparing to esxi and nsx. Proxmox seems quite nice. Normal playback speed works for me 😀
Adding the Open vSwitch will certainly help as it brings VXLAN and OpenFlow to the mix