From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <pve-user-bounces@lists.proxmox.com> Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 74AA31FF164 for <inbox@lore.proxmox.com>; Fri, 6 Jun 2025 11:16:23 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8007B86B8; Fri, 6 Jun 2025 11:16:38 +0200 (CEST) Date: Fri, 6 Jun 2025 11:11:17 +0200 To: pve-user@lists.proxmox.com MIME-Version: 1.0 Message-ID: <mailman.277.1749201397.395.pve-user@lists.proxmox.com> List-Id: Proxmox VE user list <pve-user.lists.proxmox.com> List-Post: <mailto:pve-user@lists.proxmox.com> From: Petric Frank via pve-user <pve-user@lists.proxmox.com> Precedence: list Cc: Petric Frank <pfrank@gmx.de> X-Mailman-Version: 2.1.29 X-BeenThere: pve-user@lists.proxmox.com List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user>, <mailto:pve-user-request@lists.proxmox.com?subject=subscribe> List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-user>, <mailto:pve-user-request@lists.proxmox.com?subject=unsubscribe> List-Archive: <http://lists.proxmox.com/pipermail/pve-user/> Reply-To: Proxmox VE user list <pve-user@lists.proxmox.com> List-Help: <mailto:pve-user-request@lists.proxmox.com?subject=help> Subject: [PVE-User] Block all outgoing destinations not internal for a VM Content-Type: multipart/mixed; boundary="===============2322622845652106791==" Errors-To: pve-user-bounces@lists.proxmox.com Sender: "pve-user" <pve-user-bounces@lists.proxmox.com> --===============2322622845652106791== Content-Type: message/rfc822 Content-Disposition: inline Return-Path: <pfrank@gmx.de> X-Original-To: pve-user@lists.proxmox.com Delivered-To: pve-user@lists.proxmox.com Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 4C483CC6E0 for <pve-user@lists.proxmox.com>; Fri, 6 Jun 2025 11:16:36 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 22887865D for <pve-user@lists.proxmox.com>; Fri, 6 Jun 2025 11:16:36 +0200 (CEST) Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for <pve-user@lists.proxmox.com>; Fri, 6 Jun 2025 11:16:35 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de; s=s31663417; t=1749201389; x=1749806189; i=pfrank@gmx.de; bh=aRPfKvqH7o5iVO83RvXtDJIYSFdQ42s/ey3yM1qsYLc=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:To:From:Subject: Content-Type:Content-Transfer-Encoding:cc: content-transfer-encoding:content-type:date:from:message-id: mime-version:reply-to:subject:to; b=ZRpBC6/dgi4O3MsZOz5LvOBYKFgQmWNiFdzPSEWMP2qM8qMmQw5Zl1qi8Bs0saRV mz2lG7a3GdloG+f0xnXoYhorgQrCkyfExFo5UG73uG9on/xX8/GxykVAhGcdwcPZa amBBnUO1ZXQ62RD9p6Zpc87jidbKyxFzS8cVHtef+waRL21FnrNEMOFEfpwyiGoF5 YniDKHoELkZPSdUQ6EDnO1/e7Yo4WXUDEm5KMS7vNbTsDzysxgPKOf+ihMlgHScBc adce3kht0OQuBt2ucJDvsE2MUQUH884QeUo4k+9Xjcg73cgstuATBvldbtIGInFMk c2i3zhz0oQVSjQUwPg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from mail.localdomain ([78.42.51.240]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MUosN-1uEynP26Dp-00TOGE for <pve-user@lists.proxmox.com>; Fri, 06 Jun 2025 11:11:18 +0200 Received: from [192.168.2.22] (master.fritz.box [192.168.2.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.localdomain (Postfix) with ESMTPSA id 51F6D2C095 for <pve-user@lists.proxmox.com>; Fri, 6 Jun 2025 11:11:18 +0200 (CEST) Message-ID: <aff5734d-deea-4a42-9702-fa7acd6aca8f@gmx.de> Date: Fri, 6 Jun 2025 11:11:17 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: pve-user@lists.proxmox.com Content-Language: de-DE, en-US From: Petric Frank <pfrank@gmx.de> Subject: Block all outgoing destinations not internal for a VM Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:ee7vEnVX3OE1CZR0oUGbUojWRnxrRF6CR+8y9crw72U/HNi+KII 7bTVAK4kTK+Uwi2P9030mJ0qBDTBXEnxEEqvl/phK29dhTNbN+NDjKLwLCNXXjTlkR58Mt+ EZ87iXFqIG+zNLqQpRgeVjjiunsZPboD36Nj3UvNc/80Vc7I7EA8FDf6AGH32hTa3osOsKK MnEa20qF1iJrw36lJKntg== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:sL0xOqmJmtw=;hyPzbKWM4dmDqEywC53nA/rjxkd IvTj27uM6J0mEnZsQ5xmHQ2Qv0Wa0j3QXSn+lfdJdBk9ZYFU8Livnj80DWef7vhi/6DOPoQ2P 3te3t8ov/18+KXivuhPcUSDP+3tlOX6HmZ+hYLUMCYXo34bZaarZgiHw61SEsLeaBWbB6KTec GzttTX2uZXazZpfoHj1X/t1603rSYVVpKtAUJvSYGjssZa54z9g1IFSSYXryBmqfuQCLIMwWT rcZFV7AHr2z4WDr0nPZatqaugaQmZONnLv4/jltZemkRr2BoQQlUrjl9BedAegsZL8SRoWaq0 cBOhplXTeCfLpLSFXMmbsySQCCEcpnZywWrFkn6vDfaa3cZcoc2LG/WtlSSDq0DjVtdft1CV8 aGFEq/bxxh74QtrPvwa8rjJ7WEGET+Jr8wCeXqdt1L82grjqTHJTnAB20NpX036IDrpBi7jbp +4wz9/tf7boYOo8ciIIl4t9wEkp8RKaAGx4dx+u+lLsy9XcmBHVbDbcJJ86ywaHb3V79WjvfE hI+LgrsSXPNCCVYXFjPEs4hYmgKD+ZZKO2X9Y5qRX3y20zz/ZDfBQmHsJoEL1z0ELHV4QxbRu oTidG0EZPh7DLong2pe2ehFahCv9tH3CpYgqBpHu4p9ynoNd0W8cyV/ligQEqW/Q09RPXeN+u EKlT1hOGajSRSl50PhzIRlMuWhOCXXUVD1KxK2p1nLs25p29pM2OLFcDdVodl6Te/WZoBkK/n XKGQj42TGhwmwqZCYVZwWUHwBaY8DW6zAu2djiI7ZbaGLdYn8/WyXjXAQDQ2z98dpz+KpQYM9 sr5xX5iBhSh8rgVmXs5URLysxGA6WxTU4nW+8lefT09TEnvsuhiKL3TafIDKuMParM8UwN7yW FxvRHmdl9zjDy0p089VSouHhSU535cIJy5vNReVorR6OZlLbOp58yBeiFCaqWxNkSl5iGsm2R 4c0Y4nj38fT8tfbnmZzAX5ypB6yMrs1xpwKb5REvMjcOr+bkKNSx2G/lX5NhBu7BW98OhGJ2O CERGsTBvNFPYaL3SHN6TDXtsBhUXh1BONgp9sCJYNELJgWhGWCwsZlxVC18C7X14I0AIiz+WM jZIlCPpZ+uYrTHa63GbbfHV15V7xXtxk3P7aZ1mY7z/Mh41l0cK5q8oxPXC1PzuZHgRanYhtK qQKtAMtZVPx3RqQgWh4Hq2pSIrr6OZz5m6BmBZY4hpfFLjIRFW6BLPQ1cURc+880VrEmKgk+b Z+tYxTwoZKU8V6EsVquLx9h8KvnXoH33mDye31GQTd9jW+2f6p8xuiJKVSnxE6y7poEnexnuD McUuGvUC2810SDPyQnOrU2qT0Zv3gLVoU022Y/1u0klnRai7WPRB+A4Y3q1oTTduhFvDWzia4 /452CJx81Pa6A5ntW5ZbORZYXiJBY1seX74uUfyQ96ww4g7XVcpXNRQEW4tpHk4IeyJESs7EN n+r2nc7FZmNm1qX2328XWYl3jc+E555lwE/gNf1ay3E87WCohlpmPNEaZNRTntuJU0ErevMLB WEKejN/H4CWZId0jLNUairBXql9SB/N1FSAfxjkTrQHcIKv1vY10ii7spxRQFnjk6D3K6UJG/ 813jchxnVd7uL99RMA0r1r8wVD3S0jY/5JeTNVyGHv21iT1HPbVyHHLlb3qQwX0gAN35zD56J CzsV4Et/gyyXcDlGSme5C7L0exloJMQNnamZ+eFp3U0qjWYXe2aWilTGXv6bZOa5Q+0+Ii7LP GqLA5nQ8tKAdt/9reRzWxLpfP6Bll9Cgpg/iZIwBRLSy4SV2I7Nz7JJZlawaFB6K6jMm870VA V5orOQomhZYblPdLjUt33/ozKuyQPmj4etwkhgYl7YPZMfcUZ4ZKGKtnlSpuLCaA+yrYw0U9a aqNMLfiefZYpksPmQtukaFgJA34lkB55UNcMBnI2Na5fiUbmUeDy9EHOXMNeGI3QK8Brt/V6Q kzANQ8KqADHwsyRRr+ujp0Vf44u8m7JQPn2fF3h8qlPNlBXpFbTy9UTd7Ixz3pxJCLkYg95/h 7nZl7HRXVfMC8uvARqI2+DXn9jFQoMQPBPhApslUJO31Hy4uPefBG2p2yTsC+tlqfZzysk3XU NrdLyLd1F7qscYjS//91bkPvSXu2c/LT2743rOznYfjWNT81FIkKqGr12D8tsb2CcgmY10xmL VgNo6Dgl+o49iW/juHoSUqPQJxGcr15c+n4Zmqw0KLGbkO/rNXFmWnhB3641yu0CjQSyiRjSP qCJupXF6dqDST4pWVOHazqt7wScCK6PYLtRznH3R1xDwtKATe08eqmE1depMCj9lo67TdACAI /E0NXw+ZzNtsdW2oNAiaB7bDpZrVjZdLEHQjE7NsLnfjH5z58l3Y2yqS8zNtZrWz5NHgYK2ov SyeTBoXQad+S4Byn2in+YV5n2KsRzpfavaKpTchont8GMgdj0NQ6Rl4vFsOhg3iwI4YF9Yxkf 7PBD/mmjcDVQJZeKEp2q9AEpGfie0HWA+xoQGpPkIfM0g2KL0ahbZ4EsvdiODj7YU3oPDbpbH aMXHfvqg4a9mK4J3f57b83Jp5WlIxya4UJWg7XFMZ0sCTfchzQQK/LxctoL9IyodVOuqSZU5x 80tI2lqEw4WvucBU1xl70OVcuPOZND+CAFfEMUJVNqS+/BHmvG3gmB7PI4uwZObcSJL5K1Dlq /nkPnDlie7pL+6rCkbd9nnYT3OE33QlQFaUzp5B/7WB+lvdqjmECZxceoKYl+yklvEPuZ/s7N t0DhWsbo7AYWUB0qest/uSZRNh9YvffSQBCRal84VLbJTQKUPsw66h5oSDIVHpikxPfmnRFji Z8h8/acQWfC9UicWNXYJim7+SzBN/S6BB3TxO+sC+QIbqFBpQYwX1FGbgle98TSGQQnh3/mDC yKF73MiwpXvTYIk7ND/YjAlOsUKwWAhXlVh/4a7LzP4PpPP7CzS8vayEY5lduwtxb2t0Vkww9 hC9VpPNGp7d7pHK3DuWo2jcql40di37ibNfUelIMCZKHEa/FZTaQ7DU4e3ltoe6qWpcmmCgoV 9vlp7mNpl0kr6TTzWv3MrbUzAH1f994nEnrKbsNI4sSS2RE1SMMtwflhCMuHrPWU+gMdZ1o3I M0hPkLtBuMB4aVcl6uvD8ZdTeqq5aZfdMsinLJ3ioj5vKqNwCxvnpKxg== X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider RCVD_IN_DNSWL_LOW -0.7 Sender listed at https://www.dnswl.org/, low trust RCVD_IN_HOSTKARMA_W -2.5 Sender listed in HOSTKARMA-WHITE RCVD_IN_MSPIKE_H2 0.001 Average reputation (+2) RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [gmx.de] Hello, how to block all traffic which have not a destination IP-Address=20 pointing to the internal network ? Example: Internal network: 192.168.2.0/24 Allow: all destinations in 192.168.2.0/24 Block: any destination not in 192.168.2.0/24 How the firewall of a VM have to be configured ? Thanks for your assistance. kind regards Petric --===============2322622845652106791== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ pve-user mailing list pve-user@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-user --===============2322622845652106791==--