[PVE-User] PVE 7.1 - Firewall recommendations / best practice?

[PVE-User] PVE 7.1 - Firewall recommendations / best practice?

[Hermann Himmelbauer]

Dear Proxmox users,
I set up a 3-node PVE cluster (PVE 7.1). Now I wonder if and how to
configure a firewall. Therefore I would like to know your opinion on
"best practice":

a) Don't use PVE firewall and set up firewalling on each guest machine
b) Use PVE firewall instead of firewalling on guest machines

Basically, I have the impression that (b) is the better option for me as
it is easier to configure the firewall for all guests in a central location.

First of all I'd like to know if the implementation of the PVE-Firewall
is reliable or if it is to some degree buggy and thus leads to problems?
What is your experience?

Moreover I wonder if the firewall is compatible with OVS? I have the
following interfaces set up with OVS:

enp3s0 (10GBit Storage network)
enp1s0
enp2s0
bond0 (LACP, consisting of enp1s0 and enp2s0)
vmbr0 (Bridge on top of bond0)
vlan1 (on top of vmbr0, PVE management network)
vlan200 (on top of vmbr0, alternative PVE management network)
tapxxxx several guest network devices

In some way the PVE firewall has to know that it has to apply its rules
on the host level on vlan1 / vlan200 - how does it know that?

What exactly would happen if I enable the firewall on the datacenter
level? Will it block any network interfaces, even the storage network?

I happenend to try it out - basically I expected that I will be locked
out of the management, however, it did nothing?

Any best practices?

Best Regards,
Hermann


-- 
Hermann Himmelbauer
Martinstraße 18/2
3400 Klosterneuburg
Mobile: +43-699-11492144
E-Mail: hermann@qwer.tk
GPG/PGP: 299893C7 (on keyservers)