In today’s digital landscape, securing your virtual infrastructure is paramount. Proxmox, a powerful open-source virtualization management solution, comes with a robust firewall system designed to protect your containers and virtual machines (VMs). While the firewall isn’t activated out of the box, enabling and configuring it properly can significantly enhance your security posture. This blog will walk you through the process of activating the Proxmox firewall and managing firewalls for your containers and VMs.
Activating the Proxmox Firewall
Initial Setup
To begin, navigate to the Datacenter node under the Server View. Here, you will find a Firewall option in the Datacenter menu. By default, the firewall is switched off. Before proceeding, it’s important to note that Proxmox has several default firewall rules aimed at preventing accidental lockout. For instance, if you’re on the same local network, you should be able to access the web interface and SSH even if the firewall is enabled without any changes. These default rules are not visible in the interface but can be viewed using iptables-save
.
Enabling the Firewall
To enable the firewall, double-click the setting under Options and check the box that opens. However, avoid doing this immediately as the default incoming policy is set to DROP, which might render the machine inaccessible.
First, you need to configure the necessary rules
- Add a Rule for Web Interface Access:
- Navigate to Datacenter > Firewall and click Add at the top of the page.
- Configure the rule with the following settings:
- Direction: in
- Action: Accept
- Interface: interface name eg. vmbr0
- Enable: yes
- Protocol: tcp
- Destination Port: 8006
This rule will allow access to the Proxmox web interface. If your Proxmox server is accessible from the internet, consider restricting the source IPs to enhance security.
- Enable the Firewall:
- Go to Datacenter > Firewall > Options and change the Firewall setting from No to Yes. If the rule is configured correctly, you should still have access to the web interface. However, SSH access will be blocked, which needs to be addressed next.
- Allow SSH Access:
- For SSH, which operates on a known port and protocol, use the macro setting. Add a new rule:
- Direction: in
- Action: Accept
- Interface: interface name e.g vmbr0
- Enable: yes
- Macro: SSH
- For SSH, which operates on a known port and protocol, use the macro setting. Add a new rule:
If your server is internet-facing, it’s advisable to restrict access further, perhaps by requiring a VPN connection to the local network to limit access to non-routable IPs. These steps should secure your Proxmox cluster with minimal incoming access requirements
Firewalls for Virtual Machines and Containers
There’s ongoing debate about whether to use the Proxmox firewall for VMs and containers or to rely on their internal firewalls. Since most VMs and containers run Linux, they have access to the same firewall capabilities as Proxmox. However, using Proxmox’s firewall offers several advantages:
- Unified Management: You can create security groups and apply them to multiple guests quickly.
- Enhanced Security: Outgoing traffic filtering on guests adds an additional security layer.
- Ease of Use: The Proxmox firewall interface is user-friendly and efficient.
Setting Up a Security Group
To streamline firewall management for your Linux-based guests, create a security group that opens port 22 for SSH:
- Create a Security Group:
- Go to Datacenter > Firewall > Security Group and click Create.
- Name the group linux-base and provide a description if desired.
- Add an SSH Rule:
- Select the new group and click Add.
- Configure the rule similar to the SSH rule for the datacenter.
- Assign the Security Group to Guests:
- In Server View, select a guest, then Firewall.
- Click Insert Security Group, choose linux-base, set the interface to net0, and enable it.
- The interface name (e.g., net0) can be found under the guest’s Hardware settings.
- Enable the Firewall for the Guest:
- Go to Firewall > Options in the guest and turn the firewall on.
- SSH access should be available while other access remains blocked
Other Firewall Rules and Settings
Depending on your specific needs, you might need to set individual rules for specific guests. This process is similar to setting up rules for the host. Remember to set the interface to the interface name e.g net0.
Additionally, consider enabling firewall logging under Firewall > Options to monitor input and output traffic. This can help in diagnosing connection issues and verifying that your rules are working as intended.
Enabling Samba
Allowing Samba through the firewall can be a bit tricky due to the number of ports and protocols it uses. Here are the steps to enable Samba access on your Proxmox firewall:
- Add Rules for Samba:
- Navigate to Datacenter > Firewall and click Add to create new rules.
- You need to add multiple rules to cover the ports used by Samba:
- Rule 1:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: tcp
- Destination Port: 137
- Rule 2:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: udp
- Destination Port: 137
- Rule 3:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: tcp
- Destination Port: 138
- Rule 4:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: udp
- Destination Port: 138
- Rule 5:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: tcp
- Destination Port: 139
- Rule 6:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: udp
- Destination Port: 139
- Rule 7:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: tcp
- Destination Port: 445
- Rule 8:
- Direction: in
- Action: Accept
- Interface: vmbr0
- Enable: yes
- Protocol: udp
- Destination Port: 445
- Rule 1:
These rules will allow Samba traffic through the firewall. Make sure these rules are applied to both the datacenter level and the specific guest level if necessary.
Conclusion
The Proxmox firewall system is a robust and user-friendly tool that significantly enhances the security of your virtual environment. By following the steps outlined above, you can activate and configure the Proxmox firewall to protect your datacenter, servers, and individual VMs and containers effectively. Remember, while setting up basic rules is straightforward, always tailor your firewall settings to your specific security needs and network architecture.