[pve-devel] Firewalling Proxmox with Shorewall

Jason Villalta jason at rubixnet.com
Mon Aug 13 21:32:09 CEST 2012

Couldn't the be done more simply using ebtables.  Sorry if the has already
been discussed.

This would provide port based isolation on each existing bridge.  This
would provide true isolation not just ipv4.

I will see if I can get something setup and passed along.

On Wed, Aug 1, 2012 at 4:31 PM, Loiseleur Michel <michel at loiseleur.com>wrote:

> Hi,
> I finally manage to have something which seems to be a working setup with
> Shorewall. I am able to filter within, with or without on a simple bridged
> ipv4 network. Here are the necessary steps:
> 0) Preliminary steps
>  a) apt-get install shorewall.
>  b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf
>  c) set sysctl parameter allowing netfilter for bridge (in
> /etc/sysctl.d/pve.conf or with sysctl cli)
> net.bridge.bridge-nf-call-**iptables = 1
> 1) You need to define your /etc/shorewall/interfaces. With one bridge on
> one interface, it will look like:
> world       vmbr0           detect              bridge
> net           eth0
> dmz         vmbr0:tap+
> 2) You need to define more precisely the range of your vms. It can be done
> in /etc/shorewall/hosts:
> #ZONE    HOST(S)                    OPTIONS
> dmz         vmbr0:
> 3) and help shorewall understand your bridge in /etc/shorewall/zones:
> #ZONE        TYPE    OPTIONS            IN OPT           OUT OPT
> fw                firewall
> world           ipv4
> net               ipv4
> dmz:world    bport
> 4) You can then start to define your global policy, in
> /etc/shorewall/policy ("info" loglevel is quite handy when trying to
> understand what's going and can be removed later)
> # Internet Connections
> dmz        net        ACCEPT
> # Allow FW to use internet
> $FW        world        ACCEPT
> net        all        DROP        info
> all        all        REJECT        info
> 5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh,
> proxmox and ping between vms but not outside:
> #ACTION        SOURCE        DEST        PROTO    DEST  PORT ...
> #  Accept DNS connections from the firewall to the network
> DNS(ACCEPT)    dmz        $FW        udp    67
> #    Accept SSH connections
> SSH(ACCEPT)    net          $FW
> SSH(ACCEPT)    dmz        $FW
> SSH(ACCEPT)    world       $FW
> # Permit access to Proxmox Manager and Console
> ACCEPT        dmz        $FW        tcp    5900:5999
> HTTPS(ACCEPT)    dmz        $FW        tcp    443,8006
> HTTP(ACCEPT)    dmz        $FW
> # Allow Ping only within the local vm network
> Ping(ACCEPT)    dmz        dmz
> There are two key points in this setup. First is to specify the link
> between your interfaces (vmbr0:tap+) and your zones (dmz:world). Second one
> is to define more precisely internal range of the bridge, in hosts file. If
> you do not, shorewall won't be able to distinguish your vm network from the
> internet.
> Now that I hope to have gained my "you're not anymore a complete noob in
> shorewall networking" medal, maybe I would be able to see what can I do
> about multiple bridges. It seems there's a start of answer here:
> http://www1.shorewall.net/**bridge-Shorewall-perl.html#**Multiple<http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple>
> According to this page, one should be able to use a logical name in order
> to workaround uniqueness on port name.
> --
> Michel Loiseleur
> ______________________________**_________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-**bin/mailman/listinfo/pve-devel<http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-devel/attachments/20120813/f48dbdb4/attachment-0001.html>

More information about the pve-devel mailing list