Thursday, April 23, 2020

Proxmox Postfix Gmail Setup

https://www.reddit.com/r/homelab/comments/5nzmm3/setting_up_the_proxmox_email_alerts/dcfihdw/

https://www.linode.com/docs/email/postfix/configure-postfix-to-send-mail-using-gmail-and-google-apps-on-debian-or-ubuntu/

Saturday, April 18, 2020

Proxmox Firewall and Isolating VMs

It's pretty common to want to isolate VMs. In applications like virtualbox, VMs are only able to interface with the host in a very limited manor. You must intentionally create interfaces with the host or other computers on the network.

In Proxmox, everything is wide open by default. It uses a model of most trust, instead of the model of least trust.

In order to lock down a VM in Proxmox, we need to limit how it can interface with other components on the network. This is where a firewall comes in. There are a lot of "solutions" to this problem that say, "just install a pfsense VM". This can be useful and informative, but also overkill. Especially when Proxmox comes with the needed capability, and at an arguably less steep learning curve.

Quick Overview

The firewall must be enabled at all three levels in order to function. That's Datacenter, Node, and VM.

The default policy is inbound drop, outbound accept. You may want to tune these at a given level as appropriate for your environment.

We can create rule templates to help us configure policy on individual nodes or VMs using the Datacenter -> Firewall -> Security Group feature.

This is enough info for someone who knows about firewalls to get started. What follows is more detailed instructions.

Enable Proxmox Firewall

First we need to enable the firewall in Proxmox. In order to have a VMs use it's own defined set of rules, the firewall needs to be enabled at every level. That would be Datacenter, Node, and VM.

Datacenter

Under "Datacenter"
Click on "Firewall" -> "Options"
Select "Firewall" in the list
Click the "Edit" button
Check the box
Click "OK"Here I've also changed the Input Policy (Default: "DROP") to "ACCEPT", allowing access from anywhere on my network. This ensures that other services I'm already using don't break. Ideally I would create a FW rule to allow each specifically.

Node

Under
Select "Firewall" -> "Options"
Select "Firewall" in the list
Click on "Edit"
Check the box
Click "OK"

VM

Under the VM
Select "Firewall" -> "Options"
Select "Firewall" from the list
Click on "Edit"
Check the box
Click "OK"

Using a Security Group Firewall Policy

I want to make sure this VM is unable to communicate with anything on the host, or network, but still needs access to my DNS server, DHCP, and the internet.

We can set up these rules under "Datacenter" -> "Firewall" -> "Security Groups"
First we create a group for our rules, then we can add rules.

Under "Create" we simply give the group a name. I called mine "fw-vm-isolate".

When you "Add" rules, the interface is a familiar form with all the firewall address and port options. Fields may be left blank, enabling rules to match a broad definition of traffic.

Rules may be reordered. They are effective from top to bottom. First match wins.

Here is my config, it allows NFS connections to the Proxmox Host. It Allows DNS to my DNS server. Finally, it denies all other traffic to any other LAN IP. This means it can still connect to the internet, but can not reach any local computer.

DHCP is still allowed because the VM can still send broadcast messages, and will get a reply from the DHCP server.

Finally, we apply the security group to our VM. Using "Insert: Security Group" in the VM Firewall settings.