In Proxmox, everything is wide open by default. It uses a model of most trust, instead of the model of least trust.
In order to lock down a VM in Proxmox, we need to limit how it can interface with other components on the network. This is where a firewall comes in. There are a lot of "solutions" to this problem that say, "just install a pfsense VM". This can be useful and informative, but also overkill. Especially when Proxmox comes with the needed capability, and at an arguably less steep learning curve.
Quick Overview
The firewall must be enabled at all three levels in order to function. That's Datacenter, Node, and VM.The default policy is inbound drop, outbound accept. You may want to tune these at a given level as appropriate for your environment.
We can create rule templates to help us configure policy on individual nodes or VMs using the Datacenter -> Firewall -> Security Group feature.
This is enough info for someone who knows about firewalls to get started. What follows is more detailed instructions.
Enable Proxmox Firewall
First we need to enable the firewall in Proxmox. In order to have a VMs use it's own defined set of rules, the firewall needs to be enabled at every level. That would be Datacenter, Node, and VM.Datacenter
Under "Datacenter"Click on "Firewall" -> "Options"
Select "Firewall" in the list
Click the "Edit" button
Check the box
Click "OK"
Here I've also changed the Input Policy (Default: "DROP") to "ACCEPT", allowing access from anywhere on my network. This ensures that other services I'm already using don't break. Ideally I would create a FW rule to allow each specifically. Node
UnderSelect "Firewall" -> "Options"
Select "Firewall" in the list
Click on "Edit"
Check the box
Click "OK"
VM
Under the VMSelect "Firewall" -> "Options"
Select "Firewall" from the list
Click on "Edit"
Check the box
Click "OK"
Using a Security Group Firewall Policy
I want to make sure this VM is unable to communicate with anything on the host, or network, but still needs access to my DNS server, DHCP, and the internet.We can set up these rules under "Datacenter" -> "Firewall" -> "Security Groups"
First we create a group for our rules, then we can add rules.
Under "Create" we simply give the group a name. I called mine "fw-vm-isolate".
When you "Add" rules, the interface is a familiar form with all the firewall address and port options. Fields may be left blank, enabling rules to match a broad definition of traffic.
Rules may be reordered. They are effective from top to bottom. First match wins.
Here is my config, it allows NFS connections to the Proxmox Host. It Allows DNS to my DNS server. Finally, it denies all other traffic to any other LAN IP. This means it can still connect to the internet, but can not reach any local computer.
DHCP is still allowed because the VM can still send broadcast messages, and will get a reply from the DHCP server.
Finally, we apply the security group to our VM. Using "Insert: Security Group" in the VM Firewall settings.
Hi,
ReplyDeleteI'm trying to use your manual, but unfortunetaly can't get it working. It seems to block all the traffic among LAN devices, however no Internet is accessible. Is there anything else I have to do?
Thanks
You may need an explicit allow rule for your gateway (e.g. 192.168.1.1)
DeleteThank you! Very helpful info. You'd think stuff like this would be on Proxmox's actual documentation.
ReplyDeleteThanks ! Perfect !
ReplyDeleteReally great article, I was able to quickly and easily get the configuration I wanted with how clearly and succintly you explained it here
ReplyDeleteThanks. Great information to understand basics of firewall in proxmox.
ReplyDeleteWarning: Change Input Policy to Accept prior to enabling the firewall as you may lock yourself out.
ReplyDelete