How To Configure Proxmox VE Firewall

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
unlike some of the hypervisors that you'll come across proxbox ve has a built-in firewall this allows you to protect and restrict access to your hypervisors without having to purchase or install additional software in addition the firewall can also be used to restrict access to your virtual machines which is especially useful if you've got operating systems that don't have their own personal firewall software but more importantly this allows us to restrict local access so for instance traffic between the virtual machines themselves type of traffic that your typical dedicated firewall Appliance would never see so what's really useful here is it gives us an extra layer of security but how do you configure this proxmox ve firewall well if that's something that you're interested in finding out then stick around and watch this video because that's what we'll be going over now the first thing to point out is the bifold of firewall is disabled but you can also configure it at different levels so if you come to the data center level here if we then come down here where it says firewall click on that this is where you configure by all rules we then got options now this setting here I would refer to as the master switch by default it's set to null and until that's actually configured and set to yes firewall is turned off so it makes no difference what are the firewall settings you put in they'll have no effect until the actual firewall itself is turned on we then got security groups aliases and IP sets which we'll go over later at a hypervisor level we've also got our firewall settings as well so even if I click on that we can configure firewall rules we've also got options that we can set now by default firewall has actually enabled at this level but again because it's actually disabled at the data center level it's not actually having any effect and we can also come here to actually check logs for the actual hypervisor you can then go to a virtual machine that's also got a firewall setting so if we click on that we can configure firewall rules for our virtual machine we've got options Now by default that's actually set to no so even if we turn it on at a data center level there's no firewalling taking place on the actual virtual machine until you edit this and change the yes we can also configure aliases IP sets and we can also check the logs here for the virtual machine now one other thing I'll point out is if we go to hardware and then select our network card click on edit by default by Walling is enabled on the actual network card itself but again it's just that by default we've got this setting set to no meaning there isn't actually any firewalling taking place anyway at least not by default so in order to use this firewall we do actually need to turn it on so we go to Data Center then firewall then options and then what we would do is enable the feature here but and I do stress that we don't have any actual firewall rules defined so if we go up a level to buy wall or no rules defined here if we go to one of our nodes we've got no rules defined there and like a typical firewall this has an implicit denial so because we don't have any rules to find domains traffic will get dropped in other words if we enable this firewall chances are we'll end up locking ourselves out so that's something you really need to be aware of don't just enable that firewall feature without at least actually creating the actual rules first having said that this particular firewall does have a Twist and it does cover them in the documentation but it is something I want to point out so I'm going to do this for demo purposes but it isn't something I recommend you do so I'm gonna go to firewall click on edit then I'm going to select the firewall option there I'm going to click ok and then that should enable the firewall to enabled at a data center level meaning that the actual hypervisors should now be firewalled but not the virtual machines so I'm going to click somewhere else you can see that we've now got essentially a spinning wheel going on in other words we have actually locked ourselves out I didn't create any rules so not surprisingly can't get actual access doesn't matter where I click I mean there's there's some obviously you know caching going on within the browser as such but we are actually locked out from the actual GUI there's nothing I can do I can't get back in at this stage now interestingly enough if I go to this SSH session that I've got if I hit return this is a natural SSH session that I'd opened up before and get access to that either now for a web browser It's Not Unusual to be locked out because it's not a permanent connection for an SSH session on the other hand it is because typically with a firewall when you've actually got a connection already open by a wall when you actually enable it or make changes usually firewalls don't actually disconnect existing sessions they do keep them open but in this case doesn't so that's something you need to be aware of if you go through the documentation it does give you a recommendation to actually have an SSH session open but I don't have that option that's the trouble is I am now actually logged out but like I said there is a bit of a Twist here now just to point out this particular computer that I've been using to actually connect two proxmox and to actually enable a firewall is remote to the actual hypervisors in other words it's in a different network now this computer on the other hand is actually in the same network as the actual height providers so I can actually continue on with my connection to proxmox through the GUI I mean we didn't actually create any rules to allow this so if I go back to the actual node for instance gets no rules being defined here we go to the data center there's no rules defined there but the firewall is enabled so in other words the actual remote computer has been locked out but not the local computer I mean I've got a putty session for this one as well and that's still working so that has something to bear in mind is that like your typical firewall it does have an implicit deny rule to drop traffic but what the developers have also done is they've set up some other rules that you don't see here which allow local access even once the actual firewall is enabled so by defaults the actual firewall is disabled which means you've got local access even if you turn the firewall on without defining any rules then by default you'll still continue to have local access the whole point of actually setting up a firewall like this really is to actually restrict local access so that's something that you really need to be aware of unless you take action you're still going to end up allowing local access to things like hypervisors for instance to lock yourself out and you don't have a local computer that can give you access to your hypervisors one option is to open up a console session like this and make a change to the configuration file to disable the actual firewall so to do that I'm going to type in Nano you need to go to Etsy slash PBE slash firewall and the file that I want is called cluster.fw hit return all we've got in here at the moment is just this enable option which is set to one so I'm going to change this to zero I'm going to save that file hit return now if I go back to my local computer you can see it's already showing the actual firewall is disabled if I go to the remote one I'll just refresh this session because the session itself was actually basically blocked out and disabled so let's try and refreshing that and see if we can get access back to it because essentially we've disabled the firewall in which case now we've restored our actual remote sessions by just completely disabling the firewall for the entire cluster now in the previous method we disable the entire firewall and in a production environment you may not actually want that especially if this is an actual cluster that's already up and running and you just somehow maybe create a rule for instance and locked yourself out in some way if we actually disable the entire cluster we'll be disabling firewalls on Virtual machines and on every node for example you may not necessarily want that what we can do instead is to actually just disable a firewall service on a particular node and regain access that way so I've restored the actual firewall here I have to go back to our remote session should find yep we're spinning our Wheels so if we come back to our console session put in a command on this specific node to actually stop firewall service it only stops the firewall on this specific node so if I go back to my remote computer and then just click somewhere else I've got access back to this this node again takes a while to get itself back together but what I can now do is go back to the data center level for example and I can start making my rule changes here or I could add rules in for that specific node for instance but the key thing is the firewall itself will cluster perspective is still operating all we've done is just disable the actual firewall service for this specific node and then once you've done what's necessary to restore service we can come back to here and then we'll just restart the firewall back on this node so that's another alternative option that you could use now when it comes to creating rules for hype visors you can do it at two different levels we've got the data center level so if we go to Data Center and then click on firewall here you've got an option to click add and you can start adding in new rules any rules that we create here apply to all of the nodes or hypervisors within that cluster on the other hand that go to a specific hypervisor select its firewall settings I've got exactly the same add button here where I can start creating individual rules for that their hypervisor but personally I'd say it makes more sense to centralize all your rules mix of all Administration process a whole lot easier now the goal is to restrict access to these actual hypervisors in other words they only want certain computers being able to get access and one of the things I certainly want to do is to block local access so to do that we're going to do this in a data center level so we go to Data Center then the firewall here and if I click on ADD I can start adding rules but we want to be as specific as we possibly can and that includes specifying the interface now there isn't a drop down option here so for that reason I've deliberately got all of these actual hypervisors set up so they've got the exact same network interfaces but you would have to double check but if we go to system and net Network I've got a series of interfaces on this actual computer and I just need to be specific in terms of which interface is which so vmbr0 for instance is my management interface so in which case I'm going to go to Data Center back to firewall click on ADD and I'm going to specify that as the actual interface because I only want management access allowed on that specific interface for the source well it's giving me a drop down option but we haven't defined any any options at this stage so I'm going to put in an IP address at this point so I'm just going to put in the IP address of my remote PC for the destination well what I'm going to do is I'm just going to specify this one specific computer specifically this node that I've got here that's what its IP address is because I want to be as I say as specific as possible so I've put in its IP address it just means that I'm going to have to repeat this rule for each individual hypervisor though now I can't put in a comment so I could say management access for example I've got choices here for a macro so if you click on the drop down option there's a series of known actual applications that you can select from but what we're going to do is we're going to keep things simple really to just have as few rules as possible so I'm actually going to start setting actual destination ports so in this case I want to allow access to Port 8006 for instance I also want to allow SSH so if I put in a comma and then put in 22 for SSH I'm now specifying what the destination is not really bothered what the actual Source Port is but I do need to be specific about the protocol so we need to set this to TCP so we'll then click on ADD Now by default that rule isn't enabled and that's quite useful because I'm going to actually start repeating these rules and the problem is you can find out the actual rules end up going right to the top so if you enable a rule that blocks things for instance you could end up locking yourself out so I find it's better to leave the rule disabled and shut things around move them around put them in an order that you want and then start enabling them but what I can do is I'll actually copy rules and just make my life a bit easier so I'll change that to 11. because that's the other hypervisor copy that again and then 12 is my other hypervisor and what I can do is I can actually drag these and move them into position for instance um so this is just something you have to bear in mind as I say is the fact that you'll end up every time you create a new rule it just ends up going right at the top of the list so I've now got those in nice numerical order what I can do is I can actually enable them from here I don't have to actually go back right into the rule to enable them but that at least sets up some very basic rules to allow access specifically from that computer to all three hypervisors on those specific ports well now that we've actually got some rules set up with shallow access from our Remote Management computer to our three hypervisors if we turn the firewall on this time we should still be able to get access so go down to options click on firewall then click on edit take that option to enable the firewall and then if I start just clicking around I've still got access to the actual devices within the cluster so everything is still working this time round if I go to an SSH session that's still working as well so by putting those rules in we do have our actual access from our remote computer you'll need catches well if we go to our local computer we've still got access on the actual local computer as well now bear in mind there's already an upstream firewall which is basically controlling remote access to these hypervisors and virtual machines so we haven't really gained anything as such what we really want to do is to actually restrict local access as well but those built-in rules still exist so we need to actually start disabling them so because I only want to allow management access to these hypervisors from that one specific machine I'm going to click on ADD and we're going to create a rule to block all other traffic on this management interface so we're going to change the action to drop and then for the interface we'll put in vmbr0 is my management interface I don't need to specify a source a destination Source Port destination Port macro protocol because really we don't care we just want to block everything else these are the only rules that I need to allow access so all other traffic should get blocked one thing I'll point out is I do not want to enable this actual rule because it'll go straight at the top as soon as I create and that will certainly lock me out I will give it a comment so I'll just say look other management access for example now I do want to log all this so I'll change it from no logging to for example to warning now click on ADD as you can see it's going right to the top of the list so we'll drag this right at the bottom and now what we'll do is we'll enable that rule so if I start clicking around here should still be able to get access from this specific computer because I've got rules in place that are allowing access from this one computer if I go back to my local computer you can see how it's starting to spin its Wheels it's a bit deceptive it takes a while to take effect but you can see now I'm I'm basically locked out I can't get access if I don't open up a putty session and try and get access from putty so pde Dash node one nothing open up a command prompt I can't even ping the computer from the local network I have to go back to my remote computer on your hand yeah it's still working and that's because although there are built-in rules the rules that I'm defining here are actually rules that are taking precedence so by setting up that relay I've made sure that there is no local access to these hypervisors however there is a bit of a catch and that's because we're only connected into Nord one and what we've got here is GUI that gives us access to all of the other nodes now if I start to click on these other nodes it's starting to actually spin its Wheels essentially the reason being is when you're connecting to these other nodes it's actually getting proxied through this node so I need to add in some other rules to allow me to be able to carry on getting access to all of the actual nodes through this one window pane essentially I mean I would still be able to get access to the individual nodes themselves through separate sessions but I quite like the ability to be able to just jump from one node to the other within that one pair of glass so in order for me to be able to get access to say node 2 for instance through this session that I've got connected to node one I actually need to set up a rule that allows access from Node 1 to node 2. so if I click on ADD I'll specify the interface as vmb r0 I need to specify the source which is 172.16.19.10 [Music] destination 172 16.19 Dot 11. protocol will be TCP destination Port 8006 and 22 because what you'll find is there's actually a lot of things actually get tunneled between these computers so you want to have that Port 22 opened as well so just give this a I mean let's see it local hypervisor access assuming I could spell of course foreign I'll have to drag this further down then we'll enable that rule so it's essentially the same access that I'm providing the actual local computer that I've got except as I say that that Port 22 is just a just gets used because they do quite a lot of tunneling but if I click on node number two you can see I can now actually get access to it I can't get access to node 3 though that's blocked out because I haven't actually created a rule to allow access from Node 1 to node three so I'd have to repeat that the only thing is I'd also have to set up rules to allow access from say node one no from node 2 to node one node two to node three and so once there's a lot of rules I'd have to actually set up to do this sort of thing but there is a simpler way to actually do all this having said that there are some other rules that we need to set up to actually restrict other local access now these hypervisors have multiple interfaces and because by default the actual firewalls allowing local access I need to add in some additional rules to block the possibility of management access on these other interfaces so in this case I've got storage interface now that should be an isolated Network in the sense that there should only be the hypervisors and the nas that exist there similarly with the cluster interface we should only have hypervisors but all the same it's always about least privilege in which case I should actually be blocking access on these interfaces as well now as it turns out when it comes to storage we only need outbound access anyway so realistically I could just drop all inbound traffic for the storage interface and when it actually comes to the cluster uh interface there are built-in rules to allow the cluster traffic so what I could actually do is just block all actual traffic inbound on that interface as well so if we come back to our actual data center firewall what I can do is I can add in individual rules for those interfaces which I do prefer to do I mean this particular firewall doesn't have the ability of hit count as unfortunate it would be extremely useful and that's the reason I would prefer to have individual rules for individual interfaces so at this stage it doesn't have that ability but you never know it might change in which case I'm going to add in some additional rules to drop traffic on these other interfaces that I've got so I want one for the storage interface that's EMA s224 so let's call that Block in Bound storage for example see now I can spell I do want to log that but at this stage I'm not going to enable it I'm going to move that one right down to the end there then we'll enable that one and what I could do actually just to make my life a bit easier I'll just copy that one this one will be es-256 change that to Cluster I don't want to enable that yet just to be on the safe side technically it shouldn't matter because I'm I'm not specifying anything that impacts these interfaces here but awesome better to be safe than sorry so now I've got individual rules to block inbound access so I should still be able to get management access which is intended but we're blocking all local access we've got outbound access to the nas which is all we need and as I said there's already inbuilt rules when it comes to the actual cluster interface anyway so by having these rules we've locked the hypervisor down note the stage what we've got uh three rules here allowing Remote Management access to all three nodes plus only a single rule that I've set up so far between Node 1 and node 2. now I set that rule up so that I could get access to node two while I've got a session directly to node one itself now if I want to get access to node 3 I'm going to have to create another rule from Node 1 to node 3. if I want to then start a session to node 2 and get access to Node 1 through that I need another rule from node 2 to node one and it means I'm gonna have to create a lot of rules like this one to be able to do that sort of thing but you don't just need these rules specifically for that type of management reason you need them the actual functionality of the hypervisors themselves so if you go over to high availability for instance I've got two virtual machines being protected I've got zorin one it's set up to run on basically any node and at the moment it's running on node one Zoran 2 should really be running on node 3 but the problem is it's stuck and the reason being is that node one does not have access to node 3 which means I need to start adding in these extra rules just replicating a rule like this to give connectivity between all of these nodes now this is going to get more and more worse basically the more actual hypervisors that you've got within a cluster you're going to end up with a lot of rules but they can actually consolidate these make the administration simpler but it also then means you're less likely to make a mistake no to know we've been defining rules using IP addresses but it's actually easier to remember a name rather than IP address unfortunately the firewall gives us an option of aliases so I'll click alias I'll then click add I want to set up an alias specifically for node one it's going to call this PV Dash node one now it asks for this in a cider format so what I could do is if this had been an entire network I could Define that as 172.16.19.0 24 for instance this is actually for a specific computer it's for uh Slash 32 hosts now in this case I don't actually have to have that slash 32 at the end so I can leave that off but I do want to put in a comment and I'll reference this as being a management interface click add and I've now got an alias that I can use in my rules so if I go back to firewall click add and then in either the source or the destination I can now use that Alias so I don't have to keep remembering what its IP address is I just need to remember what the actual the name of the computer is so I'm just going to repeat this because I need to set these up for all of the nodes plus my management computer now another way to make a rule Administration easier is to group things together so rather than having multiple rules for instance where you've got multiple networks all needing access to the same server you could group those networks together and then just have one rule and to do that with proximox ve here we create an IP set so we'll click IP set create now I want to group by hypervisors together for example so I'm going to call this one hypervisors click ok I'll select that IP set and now what I need to do is to actually add either networks or individual devices to this IP set so I'll click on ADD now I've already got some aliases defined so it makes my life a bit easier and what I can do is just basically pick out that node and click on create well then repeat that for nodes one two and three so I've now got an IP said I can reference for anything involving those three nodes so what I'm going to do is I'm going to repeat this except for management devices so at this stage we Define some IP sets as well as aliases and we could actually go back to our firewall rules and update all of these to make it a bit easier to understand but we can actually consolidate these rules as well and that's by creating what are known as security groups so if we go to Security Group click create and I'll give this a name we'll call this map of visor access for instance name self-explanatory so I'll just click create and I now need to create an actual rule within that so I'll click on ADD the direction is inbound and it's set up to allow the actual connectivity so for the source I'm going to select out my management devices and for the destination hypervisors I can enable this because it's not actually in use yet set the protocol to TCP the destination ports I want 8006. as well as 22. and then I'll just say I have management devices to hypervisors for instance and click add I'll select that and what I'll do is I'll duplicate that and I'll set that to allow hypervisor to hypervisor basically so that's hypervisors if I could spell hypervisors to hypervisors so I've now got a security group that's set up to allow the management devices to get access to the hypervisors as well as to allow hypervisors to get access to each other well now that we've got a Security Group which covers all of the hypervisor access that we need what you can do is go back to our firewall rules instead of clicking on ADD we can click insert Security Group we've only got one Security Group available and it's automatically picked that but I do need to specify the actual interface and I'm going to give this a comment of hypervisor access for example which again would help if I could smell so click on ADD that's gone to the top of the list now it doesn't mention anything much about the details you'd have to go all the way back to the security group to find out exactly what's going on but if we go back to our rules here if we enable that option there so what we've got through that one simple rule is access between all of the actual hypervisors themselves as well as access from the actual management computer might notice as all of a sudden Zoran 2 suddenly started to move across and it should startups shortly but what I can do exactly start disable these individual rules in fact I can't actually remove them all together but it means just through that one rule that I've got there I've got everything I need to cover hypervisor access I mean come back to our security group here to find it here in terms of hypervisor the hypervisor management computers to hypervisors if we come back to our IP sets we've got there's a hypervisors defined there these are our management devices at the moment it's just one computer then of course you've got our aliases defined in terms of just names instead of IP addresses but it should make things a lot easier to manage going forward I mean I don't have to do anything as far as that one rule is concerned if I need to make any modifications so if for example I need to add more hypervisors I just need to update the hypervisor group that I've got here in this IP set if I need to give more computers management access I need to just edit the actual IP set here for actual management devices I don't necessarily have to add more aliases I mean I could just use IP addresses within the IP sets if I want but by having all these layers it just makes things to me a whole lot easier to manage and it's a lot simpler just having that one rule I would say going forward so as I say I can remove all of those rules now they're no longer necessary but it means I've now got the management access that I need into the hypervisors and the hypervisors have got all of the access that they need it's just through that one Security Group now one final thing that I'll say about the rules that I've set up all these hypervisors is that they do work for me and they are pretty much the default sort of rules you could set up so when proxmox is first built it gets one interface vmbr zero now granted I've since added in an additional interface of storage and another one for the actual cluster traffic but everything really takes place on that one interface for the mbr0 unless you've made some changes so with for instance you've actually made proximox VLAN aware and you're Now using sub interfaces then your rules to get remote access to proxmox need to be based on that interface likewise the communication taking place between these hypervisors for me is over that original interface vmbr0 but if you've again introduced vlans or you've changed the behavior of how these actual hypervisors communicate with each other in other words if it's on a different interface you're going to need rules to allow that traffic over that interface instead now the firewall that we get with proximox ve can actually also be applied to your virtual machines Now by default it is disabled and it does have to be configured on a pervient basis so although we've got it enabled at the data center level because it's being disabled at the Virtual Machine level this actual virtual machine has no restrictions so at the moment I've got this remote computer that's got access to the web server on the Azure II computer I've got I've also got a local computer which has got access to the web server as well now I can restrict access to that web server remotely because I've got an upstream firewall Appliance but there's nothing protecting local access to the virtual machine so this firewall is actually extremely useful especially if you've got an operating system that doesn't have some form of personal firewall because you can actually use this firewall to restrict that local traffic in other words VM to VM traffic or even potentially VM to hypervisor if there is somewhere for the actual virtual machines to connect to the hypervisor locally another benefit that you get out of this is that the firewall is independent of the actual operating system on that virtual machine so if for instance a hacker were to get elevated privileges on a virtual machine they do have the potential to override the firewall whereas unless they've got access to the hypervisor they can't do anything about this firewall and as well as restricting inbound access you can also restrict outbound access on this firewall now just like I warned with a hypervisor or you actually enable the firewall in a virtual machine it's best to create rules that allow access in the first place and that's because there's a built-in implicit denial the difference between the virtual machine or the hypervisor is that you won't be able to get local access now just to demonstrate that though if I go to the firewall option here click on edit we enable this firewall then I click on OK if I give it long enough the firewall will then kick in as you can see by default it's going to start dropping traffic so if we go to our remote computer try to get access to the web server here so I've just done control F5 you can see it's starting to spin its Wheels go over to my local computer try the same from there yeah it's just spinning its Wheels as well and that's because we've enabled a firewall on this virtual machine and it's just blocking all inbound access so in other words we actually need to set up some rules to allow access to that web server I mean you can still get access to the actual consoles section because that's taking place through the actual proximox hypervisor but we can't get access to the applications or the actual services on this actual computer and that's where we need the rules for now rules for a virtual machine have to be applied to the virtual machine itself to do that you pick out your virtual machine select its firewall and then start adding new rules in here now if you go to the data center level it's not going to stop you from actually creating rules that would potentially apply to your virtual machines that just don't have any effect it's the same as if you go to hypervised and start creating those sort of rules here makes no difference because those type of rules only apply to hypervisor so let's say you've got to actually create and apply these rules to the virtual machine itself now to do try to make things a bit more easier to give you aliases and IP sets now if we click on the add button though to take advantage of things like that for instance what's particularly the interesting is if I click on source you can see that I'm getting access to IP sets and aliases that were actually defined in the data center level so this is very useful when you've got you know a lot of virtual machines and you need to take advantage of the same sort of Ip sets and aliases you can just Define them all at a data center level having said that you can make life a whole lot easier by actually using security groups we don't get to Define them here but we can actually Define them at the data center level so we can set up common rules in the form of security groups at a data center level and then start applying those security groups to Virtual machines now let's say for example I've got multiple web servers and I want access to all of them from the same Source well to make life easier what I can do is create a security group and then apply that Security Group to those virtual machines so I'm going to click on create to create a new Security Group I'm going to call this one web server access and click create I'll select that security group and now I need to add a rule for the source it's best to pick a group now for the sake of this demo I'm just going to keep things simple I want to pick out the one for management devices because that encompasses my actual management computer specifically this computer which is the remote computer the destination well in my case the virtual machine that I've got has only one interface one IP address so there's there's no real gain in actually specifying that if I want to if I've got you know virtual machines I've got multiple interfaces I could for instance set up a group that encompasses the networks that the actual interfaces are in for instance and Define that there but just keep things simple I'm just going to leave that blank because it's not really going to make any difference to me I will enable this rule keep things simple I'm going to pick out the macro for HTTP because that's all that this web server supports anyway then we'll give it a name or a comment of HTTP access the good thing about this is that if somewhere down the line these web servers needed https access I could add that in could also remove this at a later date so there's a lot of flexibility here where I've defined air security group that applies to multiple virtual machines and I can affect all those virtual machines through this one Security Group so as I said that makes the administration a whole lot easier doing it this way so if we go back to our virtual machine and then select the firewall what I can do is just insert that Security Group so pick that out from the list now what I can do if this virtual machine did have multiple interfaces I could also restrict that rule to that specific interface that I want so for example maybe the production interface that way I wouldn't be allowing access to it through say the management interface likewise if this had been a management rule I could have set it up to only allow access through the management interface but again for the sake of this demo there is only one interface there is only one IP so for me there's no gain in being specific so I'm just going to enable this rule this particular rule is to allow access it's not to deny access so it doesn't really matter but I'll give this up a comment say web server access click on ADD and now we've actually got a rule to allow access to the web server the only thing to point out is that we've got an implicit deny rule going on here we're not actually logging anything so it would be better to actually have a rule in here at the end to drop all of the traffic so I'm just going to put that rule in and just see look everything else I'm not going to enable that because if I click on ADD it goes right at the top of the list what I'm going to do actually is I'm going to edit that and I'm going to set that a warning because we do want to keep an eye on what traffic's been blocked and then I'll enable that rule so the good thing about this is that this makes it a lot easier to manage rules for multiple computers because going forward all I need to do is just modify that actual Security Group and it'll apply to all of my web servers now ideally it would have been better to have applied these rules before we enabled the firewall but as I said I did want to demonstrate the fact that if all you do is actually enable the firewall it also blocks local access which is different to how the hypervisors work but the key point is we've now got a rule in the form of a Security Group which is allowing access specifically from this remote computer but it's dropping access to everything else so if we go back to this tab if I hit Ctrl 5. you can see I I've now got access to that Apache web page I'll go over to the local computer on the other hand the controller five it's just sitting spinning its Wheels so in other words I've got rules in place to allow access from the remote computer so that's the same sort of rule that I would have in place on an upstream firewall but the key thing is that this firewall is now actually blocking local access which is something that that's Upstream firewall can't do traffic never goes anywhere near that of a firewall so this is extremely useful a very useful extra layer in your security to have and if you do actually want to keep an eye on what's actually being blocked you can just go to the log page here and there's well yeah networks can be quite chatty so there's a lot of things being blocked but that includes access to Port 80 from this local computer that we've got now just like other computer systems sometimes things don't work as expected though sometimes it just don't work at all in which case you need to be able to do troubleshooting an investigation to find out what's causing the problem uh with proxbox what we've got is at a hypervisor level you can go down with the firewall setting here and pick out the log and you can start to get logging information about traffic that's being dropped for instance here by the firewall and you can do the same with your actual virtual machines so if I pick out that virtual machine there's its log setting they're showing me all the traffic that it's dropping the key thing to point out is that although the firewall actually has a built-in implicit deny rule that rule isn't actually logging anything that it's actually dropping now that's the reason why I create rules like these ones here at the end which actually set up some logging so granted they don't have a head counter which would have been beneficial but at least they're actually logging information so I get to know what sort of traffic is actually being dropped so that's extremely useful if you're finding something isn't working you can have a look on the logs and seeing if the actual firewall is actually blocking access to something now the rules that we've been defining have been done through the graphical user interface but when it comes to troubleshooting sometimes you need access to the command line now I could go into a console session in my case I've opened up an SSH session to node 1. I'm not going to do is swap the folder where these actual rules are being stored so that's slash Etsy PVE firewall so it's the same rule that I mentioned when it came to try to fix a problem where if you got yourself locked out for example if you haven't looked in this folder you've got the original cluster.fw file I mentioned before if you have a look at that file it's now got extra entries in it hasn't just got this option up here to enable and disable the actual firewall at cluster level we've got aliases IP sets and so on including the actual rules themselves but it's also got the actual files that go with the individual virtual machines themselves so this one here 102.fw is the actual set of firewall rules in the actual setting to enable or disable the firewall where this is our own two computer that we touched upon earlier so as you can see we've got a rule here to allow the web access but also another rule to drop access to everything else so this is a an extremely useful way to be able to get alternative access to these actual firewall rules you could use it for automation as well even for restoring actual files from backup for example well thanks for making it to the end of this video I really do hope you found it useful if so then do click the like button and share as that'll help get the video out to more people who might find it useful as well if you've got any comments or suggestions please post those in the comments section below and if you're new to the channel and you'd like to see more content like this then yes do subscribe just remember to set the Bell icon to actually send you notifications when new content gets released although I also post to Twitter as well as Facebook if you'd like to help the channel and support it you can actually make contributions through PayPal and buy me a coffee I've also got links to patreon and there's also the join membership option for YouTube itself patreon and YouTube members do have the option to actually benefit from Early Access as well but above all many thanks for watching this video I'll see you in the next one [Music]
Info
Channel: Tech Tutorials - David McKone
Views: 9,622
Rating: undefined out of 5
Keywords: proxmox firewall configuration, proxmox firewall rules, proxmox firewall example, proxmox firewall cli, proxmox firewall command line, proxmox firewall settings, proxmox firewall disable, proxmox firewall best practices, proxmox firewall, configure proxmox firewall, proxmox configure firewall, proxmox setup firewall
Id: yA9e7A9v7Xc
Channel Id: undefined
Length: 48min 51sec (2931 seconds)
Published: Mon Jan 09 2023
Related Videos
Proxmox VE Dedicated Migration Interface
Tech Tutorials - David McKone
2.3K
How To Create VLANs in Proxmox For a Single NIC
Tech Tutorials - David McKone
78K
Troubleshooting "You may have pressed the back button" error -- Auth0 Community Response Series
OktaDev
12
Proxmox Firewall Setup [Single NODE or CLUSTER] | Proxmox Home Server Series
MRP
1.9K
Simplify Your Proxmox VE Tasks: Ansible Automation Made Easy
Tech Tutorials - David McKone
2K
Proxmox VLAN Configuration: Linux Bridge Tagging, Management IP, and Virtual Machines
VirtualizationHowto
5.8K
Lightwave 5.5 Power Modeling
OldLightwave3DisGold
772
Proxmox VE Full Course: Class 11 - Integrated Firewall
Learn Linux TV
69K
Proxmox 8.0 - PCIe Passthrough Tutorial
Craft Computing
89K
Setup d'un cluster Proxmox VE chez OVHcloud
Christophe Casalegno (Brain 0verride)
7.5K
Proxmox NETWORKING: VLANs, Bridges, and Bonds!
apalrd's adventures
88K
Monitoring Proxmox VE With Prometheus And Grafana
Tech Tutorials - David McKone
4.9K
Installing OPNsense Virtual Firewall on Proxmox
Sheridan Computers
2.1K
Effortlessly Create Proxmox VE Debian Templates at Lightning Speed with Cloud-Init
Tech Tutorials - David McKone
1.1K
Installing pfSense on Proxmox
Sheridan Computers
559
From Zero to Proxmox: Building Your First Virtualization Server
Learn Linux TV
125K
A Homelabbers Networking Playground with Opnsense, Proxmox, VLANs and Tailscale
Tailscale
12K
Proxmox VE Full Course: Class 15 - Clustering
Learn Linux TV
78K
You want a real DNS Server at home? (bind9 + docker)
Christian Lempa
196K
Turning Proxmox Into a Pretty Good NAS
apalrd's adventures
148K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.