The Proxmox VE firewall is a security feature that allows easy and effective protection of a virtual environment for both internal and external network traffic. By leveraging this firewall, we can protect VMs, host nodes, or the entire cluster by creating firewall rules. By creating rules at the virtual machine level, we can provide total isolation for VM-to-VM network traffic, including VM-to-external traffic. Prior to the Proxmox VE firewall, security and isolation were not possible at the hypervisor level. Keep in mind that the built-in Proxmox firewall should not be a substitute for a VM-level firewall. We must still apply a firewall policy inside a guest VM, but the hypervisor-level firewall provides an added layer of protection should the VM operating system firewall be misconfigured or not configured at all. This also creates added management overhead because network administrators or managers must now open or close ports or apply firewall policies...
You're reading from Mastering Proxmox, - Third Edition
The Proxmox VE firewall leverages iptables of each Proxmox node for protection. The iptables is an application that allows you to manage rules tables for the Linux kernel firewall. All firewall rules and configurations are stored in the Proxmox cluster filesystem, thus allowing a distributed firewall system in the Proxmox cluster. The pre-firewall service provided by Proxmox for each node reads the rules and configurations from the cluster filesystem and automatically adjusts the local iptables. Rules can be fully created and maintained by the Proxmox GUI or CLI. The Proxmox firewall can be used in place of a virtualized firewall in the cluster.
Note
Although the Proxmox firewall provides excellent protection, it is highly recommended that you have a physical firewall for the entire network. This firewall is also known as an edge firewall since it sits at the main entry point to the internet. The internet connection should not be directly connected to Proxmox...
As mentioned earlier, data center-specific firewall rules affect all resources, such as clusters, nodes, and virtual machines. Any rules created in this zone are cascaded to both hosts and VMs. This zone is also used to fully lock down a cluster to drop all incoming traffic and then only open what is required. In a freshly installed Proxmox cluster, the data center-wide firewall option is disabled.
Note
CAUTION!
Extra attention should always be used when creating data center-specific firewall rules to prevent full cluster lockout.
The following screenshot shows the Firewall
option for the Datacenter
zone through the Options
tab by navigating to Datacenter
| Firewall
| Options
:
As we can see in the preceding screenshot, by default the Proxmox firewall for the Datacenter
zone is disabled with Input Policy
set to DROP
and Output Policy
set to ACCEPT
. If we did enable this firewall option right now...
Any rules created in the host zone only apply to the node where the rule itself was created and the VMs in that host node. Rules for one node do not get replicated to the other nodes, although the rule files are stored in the Proxmox cluster filesystem. There are no options to create IPSet or security groups in the host-specific firewall option. We can only create firewall rules.
Creating new rules for the host zone is identical to the rule creation process that we have already discussed in the Configuring the data center-specific firewall section earlier in this chapter. Besides creating rules from scratch, we can also assign predefined rules in the form of a security group to a node. We cannot create a new security group under the host Firewall
menu, but we can assign it some predefined rules. For example, earlier in this chapter, we created a security group named webserver
. If a Proxmox node is only going to host VMs used...
Rules created for a VM only apply to that particular virtual machine. Even when the virtual machine is moved to a different node, the firewall rule follows the VM throughout the cluster. There are no rules cascading from this zone. Under the VM firewall feature, we can create rules, aliases, and IPSets, but we cannot create a security group. The firewall management is the same for both the KVM virtual machines and LXC containers. We can go to the firewall feature of a VM by navigating to the VM | Firewall
menu:
Creating new rules for a VM is identical to the rule creation process that we have already seen in the Configuring the Datacenter firewall through the CLI section earlier in this chapter. Besides creating rules from scratch, we can also assign predefined rules in the form of a security group to a VM. The preceding screenshot shows that our example VM has three firewall rules to allow standard web server and HTTPS traffic...
The security protection of the Proxmox VE firewall can be further enhanced by configuring an intrusion detection and prevention system such as Suricata. It is a high-performance IDS/IPS engine that is able to protect a virtual machine by rejecting traffic that may be possible intrusions. Currently, Snort and Suricata are two open source mainstream IDS/IPS available, although there are a few others. One of the primary advantages of Suricata is that it is multithreaded, whereas Snort is single-threaded. Suricata is under rapid deployment and has gained popularity in a short amount of time.
By default, Suricata is not installed on a Proxmox node. It needs to be manually installed and configured. As of Proxmox VE 5.0, Suricata can only be used to protect a virtual machine and not any Proxmox host nodes.
In this chapter, we learned about one of the most powerful features of Proxmox, the built-in firewall. We learned what it is and how to implement it to protect the entire cluster, Proxmox host nodes, and virtual machines. We learned how to manage the firewall rules and configuration using both the GUI and CLI. Proxmox adds security where it is needed the most. By leveraging a flexible and granular firewall protection at the hypervisor level, we are now able to have a better-secured cluster. This is not to say that firewall policies are not needed internally in each VM, but having a firewall built into the hypervisor offers an extra layer of protection from an infrastructural point of view.
In the next chapter, we are going to learn about the Proxmox VE High Availability feature for VMs, which has been completely redesigned from the ground up. The new changes brought higher stability while making the management and configuration a much simpler task.