[PVE-User] Firewall Proxmox Host
THe_ZiPMaN
flavio-pve at zipman.it
Tue May 22 23:39:55 CEST 2012
On 05/22/2012 09:57 PM, Måns Åman wrote:
> I'm using Shorewall which actually is a front for iptables. You can use DNAT
> with private IP-addresses or using Proxy ARP
> (http://en.wikipedia.org/wiki/Proxy_ARP) with public IPs directly on VMs. My
> choice was to use proxy arp.
So do I. I configured shorewall for ipv4 and shorewall6 for ipv6, using
both DNAT and proxyarp for ipv4 and simple routing for ipv6.
I think shorewall is the best solution for configuring firewall on the
host since it doesn't depend on anything except perl, already present in
Proxmox, and it really simplify the configuration of the firewall.
It also allows to setup complex solutions such as those involving source
routing, multiple providers, traffic shaping, QoS, vpns (ipsec and
openvpn), ecc.ecc. with few lines of text in the right file.
> It works great but how secure I can't say.
Shorewall is only a frontend that creates a script for iptables, ip and
tc, so it's as secure as Linux is. The recent history doesn't show any
significant vulnerability in the kernel code that manages theese
features, and that code is one of the better audited part of the kernel.
If you fear for your security I bet you should look in other directions.
> Obvious it's MUCH better with a hardware firewall in front of Proxmox...
"Ma anche no" (Italian expression that means disagreement :) ).
The firewall in front of the host is really less important than the
firewall ON the host, because it cannot protect the host from inside
threats.
Think for example to a farm of proxmox like the one in the following
Fidocad draw (copy and paste on http://pot.potorti.it/fidocad/ to view)
that is a common configuration found in many firms.
The hardware firewall protects the farm from the outside network, but If
someone finds an hole in a VM (for example the user runs the classic
phpmyadmin) and gains access to the VM, he can try to attack the proxmox
hosts from the VM network. By default the proxmox web ui and ssh are
open from all the interfaces and it's really really more probable to
discover a vulnerability in the proxmox web UI or to find a weak root
password than a bug in iptables.
The front firewall is useful if you have more than one host because you
can set the policies for all the VM in a single place (without it you
should replicate the config on all the proxmox host of the farm), BUT it
doesn't replace the firewall on the host.
And there isn't any difference, with regard to the security, between an
hardware firewall and a VM with some sort of firewall solution on it
(pfsense, monowall, vyatta, kattive, ecc.).
[FIDOCAD]
LI 195 100 195 115 0
LI 190 135 190 150 0
EV 145 100 135 85 0
LI 140 85 245 85 0
EV 250 100 240 85 0
LI 140 100 245 100 0
EV 90 165 80 150 0
LI 85 150 235 150 0
EV 240 165 230 150 0
LI 85 165 235 165 0
RV 175 130 175 130 0
LI 190 165 190 180 0
LI 95 100 95 150 0
LI 135 90 115 90 0
LI 155 115 155 115 0
LI 110 165 110 180 0
LI 130 165 130 180 0
LI 235 100 235 115 0
LI 150 135 150 150 0
LI 155 100 155 115 0
LI 230 135 230 150 0
LI 90 165 90 180 0
LI 170 165 170 180 0
LI 95 65 95 80 0
LI 150 165 150 180 0
LI 230 165 230 180 0
LI 210 165 210 180 0
TY 165 90 4 3 0 0 0 * Host Management Lan
TY 95 155 4 3 0 0 0 * VM Public Lan (vmbr0 of the hosts)
TY 85 85 4 3 0 0 1 * HW FW
RV 75 80 115 100 1
RV 215 115 250 135 2
TY 145 130 2 2 0 0 2 * vmbr0:eth1
RV 175 115 210 135 2
RV 135 115 170 135 2
TY 185 130 2 2 0 0 2 * vmbr0:eth1
TY 185 110 2 2 0 0 2 * eth0
TY 180 120 4 3 0 0 2 * PROXMOX2
TY 145 110 2 2 0 0 2 * eth0
TY 140 120 4 3 0 0 2 * PROXMOX1
TY 220 120 4 3 0 0 2 * PROXMOX3
TY 225 130 2 2 0 0 2 * vmbr0:eth1
TY 225 110 2 2 0 0 2 * eth0
TY 85 50 4 3 0 0 4 * INTERNET
EV 120 65 70 45 4
TY 185 185 4 3 0 0 9 * VM
RV 160 180 175 195 9
RV 140 180 155 195 9
RV 120 180 135 195 9
TY 145 185 4 3 0 0 9 * VM
TY 125 185 4 3 0 0 9 * VM
RV 180 180 195 195 9
RV 80 180 95 195 9
TY 85 185 4 3 0 0 9 * VM
TY 105 185 4 3 0 0 9 * VM
TY 165 185 4 3 0 0 9 * VM
RV 100 180 115 195 9
RV 220 180 235 195 9
RV 200 180 215 195 9
TY 205 185 4 3 0 0 9 * VM
TY 225 185 4 3 0 0 9 * VM
--
Flavio Visentin
A computer is like an air conditioner,
it stops working when you open Windows
More information about the pve-user
mailing list