[pve-devel] Firewalling Proxmox with Shorewall

Lars Wilke lw at lwilke.de
Thu Aug 2 10:41:32 CEST 2012 

* Dietmar Maurer wrote:
> > 0) Preliminary steps
> >   a) apt-get install shorewall.
> >   b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf
> >   c) set sysctl parameter allowing netfilter for bridge (in /etc/sysctl.d/pve.conf
> > or with sysctl cli) net.bridge.bridge-nf-call-iptables = 1
>
> Is c) really required? I thought shorewall set that automatically on startup?

Not in the version that comes with Debian 6 it seems. I had to enable that
one, too.

> > 1) You need to define your /etc/shorewall/interfaces. With one bridge on
> > one interface, it will look like:
> > #ZONE    INTERFACE    BROADCAST    OPTIONS
> > world       vmbr0           detect              bridge
> > net           eth0
> > dmz         vmbr0:tap+
>
> It would be great to have an example witch fits our use case. We do not really want one
> dmz. Instead we want one 'zone' per VM. So the interfaces file can look like
>
> #ZONE    INTERFACE    BROADCAST    OPTIONS
> world       vmbr0           detect              bridge
> net           eth0
> vm100      vmbr0:tap100i1
>
> > 2) You need to define more precisely the range of your vms. It can be done in
> > /etc/shorewall/hosts:
> > #ZONE    HOST(S)                    OPTIONS
> > dmz         vmbr0:172.16.0.0/24
>
> We do not have IP address currently. If really needed, where do you want to store them
> in the VM config? Inside the network device settings?
>
> But do we really need it if we define one zone per VM?

You could also use the maclist option

This is how my interfaces looks

net     eth0            detect blacklist,nosmurfs,tcpflags,routefilter=1,arp_filter=1
vznet   venet           detect tcpflags
dmz01   vmbr1           detect nosmurfs,tcpflags,routefilter=1,arp_filter=1,routeback,bridge,maclist,nets=(1.2.3.4/24)

> > 3) and help shorewall understand your bridge in /etc/shorewall/zones:
> > #ZONE        TYPE    OPTIONS            IN OPT           OUT OPT
> > fw                firewall
> > world           ipv4
> > net               ipv4
> > dmz:world    bport
> >
> > 4) You can then start to define your global policy, in /etc/shorewall/policy
> > ("info" loglevel is quite handy when trying to understand what's going and
> > can be removed later)
> > #SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
> > # Internet Connections
> > dmz        net        ACCEPT
> > # Allow FW to use internet
> > $FW        world        ACCEPT
> > net        all        DROP        info
> > # THE FOLLOWING POLICY MUST BE LAST
> > all        all        REJECT        info

Please set the logging threshold either really high or remove it completly,
especially on net, else your logs will be flooded with messages.

> > 5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh, proxmox
> > and ping between vms but not outside:
> > #ACTION        SOURCE        DEST        PROTO    DEST  PORT ...
> >
> > #  Accept DNS connections from the firewall to the network
> > DNS(ACCEPT)    dmz        $FW        udp    67
> >
> > #    Accept SSH connections
> > SSH(ACCEPT)    net          $FW
> > SSH(ACCEPT)    dmz        $FW
> > SSH(ACCEPT)    world       $FW
> >
> > # Permit access to Proxmox Manager and Console
> > ACCEPT        dmz        $FW        tcp    5900:5999

Should the port range go to 5999 or 6000?

> > HTTPS(ACCEPT)    dmz        $FW        tcp    443,8006
> > HTTP(ACCEPT)    dmz        $FW

Hm, not sure i understand these two rules, why do you allow
HTTP from the DMZ to the Proxmox Host.

> > # Allow Ping only within the local vm network
> > Ping(ACCEPT)    dmz        dmz

May i suggest a more liberate ICMP ECHO Policy, debugging gets
so much easier.

cheers

   --lars

More information about the pve-devel mailing list