
<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    ...<br>

    <br>

    <span id="result_box" class="short_text" lang="en"><span class="hps">Shedding

        light</span> <span class="hps">to understand</span> <span

        class="hps">me (sorry for the spanish language of names and

        comments):<br>

      </span></span><br>

    <span id="result_box" class="short_text" lang="en"><span class="hps">-

        Network ID: <a href="http://172.16.1.0/24" rel="noreferrer"

          target="_blank">172.16.1.0/24</a><br>

        - Hypervisors Proxmox VE: 172.16.1.240 (v4.0) [vmbr0]<br>

        - Network Equipment Management:  172.16.1.7<br>

        <br>

      </span></span><span id="result_box" class="short_text" lang="en"><span

        class="hps"><span id="result_box" class="short_text" lang="en"><span

            class="hps">----------------------------</span></span><br>

        <br>

        /etc/pve/firewall/clsuter.fw:<br>

        <br>

        [OPTIONS]<br>

        <br>

        enable: 1<br>

        <br>

        [ALIASES]<br>

        <br>

        IP_Equipo_Administrador_Red 172.16.1.7 # Estacion de Trabajo del

        Administrador de la Red<br>

        IP_Hipervisor_PRX4-C0-1 172.16.1.240 # Hipervisor con Proxmox VE

        (PRX4-C0-1)<br>

        <br>

        [IPSET equipos_gestion_servidores]<br>

        <br>

        ip_equipo_administrador_red<br>

        ip_equipo_especialista_si<br>

        <br>

        [IPSET hipervisores_proxmox_ve]<br>

        <br>

        ip_hipervisor_prx4-c0-1<br>

        <br>

        [group gestion_hipervisores]<br>

        <br>

        IN ACCEPT -source </span></span><span id="result_box"

      class="short_text" lang="en"><span class="hps"><span

          id="result_box" class="short_text" lang="en"><span class="hps">IP_Equipo_Administrador_Red</span></span>

        -dest +hipervisores_proxmox_ve -p tcp -dport 8006 -sport

        1024:65535 # Gestion de Hipervisores Proxmox VE a traves de la

        Interfaz Grafica WEB (WebGUI)<br>

        IN ACCEPT -source </span></span><span id="result_box"

      class="short_text" lang="en"><span class="hps"><span

          id="result_box" class="short_text" lang="en"><span class="hps">IP_Equipo_Administrador_Red</span></span>

        -dest +hipervisores_proxmox_ve -p tcp -dport 40497 -sport

        1024:65535 # Gestion de Proxmox VE a traves de SSH (CLI)<br>

        <br>

        /etc/pve/nodes/prx4-c0-1/host.fw:<br>

        <br>

        [OPTIONS]<br>

        <br>

        nf_conntrack_tcp_timeout_established: 7875<br>

        nf_conntrack_max: 196608<br>

        log_level_in: debug<br>

        smurf_log_level: debug<br>

        log_level_out: debug<br>

        enable: 1<br>

        tcp_flags_log_level: debug<br>

        tcpflags: 1<br>

        <br>

        [RULES]<br>

        <br>

        GROUP gestion_hipervisores -i vmbr0<br>

        IN Ping(ACCEPT) -i vmbr0 -source </span></span><span

      id="result_box" class="short_text" lang="en"><span class="hps"><span

          id="result_box" class="short_text" lang="en"><span class="hps">IP_Equipo_Administrador_Red</span></span>

        -dest +hipervisores_proxmox_ve # Solamente desde los Equipos de

        Gestion de la Red se puede Pingear a los Hipervisores Proxmox VE<br>

        <br>

      </span></span><span id="result_box" class="short_text" lang="en"><span

        class="hps"><span id="result_box" class="short_text" lang="en"><span

            class="hps">----------------------------</span></span><br>

        <br>

      </span></span><span id="result_box" class="short_text" lang="en"><span

        class="hps">I did a test</span> <span class="hps">with</span> <span

        class="hps">the</span> <span class="hps">PC</span> <span

        class="hps">with</span> <span class="hps">IP</span> <span

        class="hps">address 172.16.1.254 and I r</span></span><span

      id="result_box" class="short_text" lang="en"><span class="hps">eached

        the</span> Web<span class="hps">GUI of Proxmox VE</span> <span

        class="hps">without</span> <span class="hps">problems.</span></span><span

      id="result_box" class="short_text" lang="en"><span class="hps"> </span></span><span

      id="result_box" class="short_text" lang="en"><span class="hps"><span

          id="result_box" class="" lang="en"><span class="hps">It is

            assumed that</span> <span class="hps">the firewall</span> <span

            class="hps">should not</span> <span class="hps">allow

            access</span> <span class="hps">because the origin of</span>

          <span class="hps">the connection</span> <span class="hps">not

            part</span> <span class="hps">from</span> <span

            class="hps">the</span> <span class="hps">IP</span> <span

            class="hps">address</span> <span class="hps">172.16.1.6</span>

        </span></span></span><span id="result_box" class="short_text"

      lang="en"><span class="hps">neither</span></span><span

      id="result_box" class="short_text" lang="en"><span class="hps"><span

          id="result_box" class="" lang="en"><span class="hps"></span> <span

            class="hps">172.16.1.7. :-(<br>

            <br>

            The rule of SSH access working on successfully. :-)<br>

            <br>

          </span></span></span></span>

    <pre class="moz-signature" cols="72">-- 

=====================================

Lic. Hector Suarez Planas

Administrador Nodo CODESA

Santiago de Cuba

-------------------------------------

Blog: <a class="moz-txt-link-freetext" href="http://nihilanthlnxc.cubava.cu/">http://nihilanthlnxc.cubava.cu/</a>

ICQ ID: 681729738

Conferendo ID: hspcuba

=====================================

</pre>

  </body>

</html>