From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BCAE49B9F for ; Sat, 2 Apr 2022 14:57:42 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AB72F2DF4D for ; Sat, 2 Apr 2022 14:57:12 +0200 (CEST) Received: from hermes.qwer.tk (hermes.qwer.tk [93.82.198.100]) by firstgate.proxmox.com (Proxmox) with ESMTP id CBA952DF43 for ; Sat, 2 Apr 2022 14:57:10 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hermes.qwer.tk (Postfix) with ESMTP id 503E91828C1 for ; Sat, 2 Apr 2022 14:49:23 +0200 (CEST) X-Virus-Scanned: by amavisd-new at qwer.tk Received: from hermes.qwer.tk ([127.0.0.1]) by localhost (hermes.qwer.tk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qlJJFoILhX-C for ; Sat, 2 Apr 2022 14:49:17 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by hermes.qwer.tk (Postfix) with ESMTP id 71B74182902 for ; Sat, 2 Apr 2022 14:49:17 +0200 (CEST) Received: from [192.168.54.75] (kalliope-air-gaberl.qwer.tk [192.168.54.75]) (Authenticated sender: hermann@himmelbauer-it.at) by hermes.qwer.tk (Postfix) with ESMTPSA id 52FC21828C1 for ; Sat, 2 Apr 2022 14:49:17 +0200 (CEST) Message-ID: <9ab0dd94-e598-ef4e-ec61-7ab816367cf6@qwer.tk> Date: Sat, 2 Apr 2022 14:49:16 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.6.0 To: pve-user@lists.proxmox.com Content-Language: en-US From: Hermann Himmelbauer Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.506 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [PVE-User] PVE 7.1 - Firewall recommendations / best practice? X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Apr 2022 12:57:42 -0000 Dear Proxmox users, I set up a 3-node PVE cluster (PVE 7.1). Now I wonder if and how to configure a firewall. Therefore I would like to know your opinion on "best practice": a) Don't use PVE firewall and set up firewalling on each guest machine b) Use PVE firewall instead of firewalling on guest machines Basically, I have the impression that (b) is the better option for me as it is easier to configure the firewall for all guests in a central location. First of all I'd like to know if the implementation of the PVE-Firewall is reliable or if it is to some degree buggy and thus leads to problems? What is your experience? Moreover I wonder if the firewall is compatible with OVS? I have the following interfaces set up with OVS: enp3s0 (10GBit Storage network) enp1s0 enp2s0 bond0 (LACP, consisting of enp1s0 and enp2s0) vmbr0 (Bridge on top of bond0) vlan1 (on top of vmbr0, PVE management network) vlan200 (on top of vmbr0, alternative PVE management network) tapxxxx several guest network devices In some way the PVE firewall has to know that it has to apply its rules on the host level on vlan1 / vlan200 - how does it know that? What exactly would happen if I enable the firewall on the datacenter level? Will it block any network interfaces, even the storage network? I happenend to try it out - basically I expected that I will be locked out of the management, however, it did nothing? Any best practices? Best Regards, Hermann -- Hermann Himmelbauer Martinstraße 18/2 3400 Klosterneuburg Mobile: +43-699-11492144 E-Mail: hermann@qwer.tk GPG/PGP: 299893C7 (on keyservers)