[pve-devel] Firewalling Proxmox with Shorewall

Jason Villalta jason at rubixnet.com
Mon Aug 13 21:32:09 CEST 2012


Couldn't the be done more simply using ebtables.  Sorry if the has already
been discussed.
http://serverfault.com/questions/388544/is-it-possible-to-enable-port-isolation-on-linux-bridges


This would provide port based isolation on each existing bridge.  This
would provide true isolation not just ipv4.

I will see if I can get something setup and passed along.


On Wed, Aug 1, 2012 at 4:31 PM, Loiseleur Michel <michel at loiseleur.com>wrote:

> Hi,
>
> I finally manage to have something which seems to be a working setup with
> Shorewall. I am able to filter within, with or without on a simple bridged
> ipv4 network. Here are the necessary steps:
>
> 0) Preliminary steps
>  a) apt-get install shorewall.
>  b) set IP_FORWARDING=On in /etc/shorewall/shorewall.conf
>  c) set sysctl parameter allowing netfilter for bridge (in
> /etc/sysctl.d/pve.conf or with sysctl cli)
> net.bridge.bridge-nf-call-**iptables = 1
>
> 1) You need to define your /etc/shorewall/interfaces. With one bridge on
> one interface, it will look like:
> #ZONE    INTERFACE    BROADCAST    OPTIONS
> world       vmbr0           detect              bridge
> net           eth0
> dmz         vmbr0:tap+
>
> 2) You need to define more precisely the range of your vms. It can be done
> in /etc/shorewall/hosts:
> #ZONE    HOST(S)                    OPTIONS
> dmz         vmbr0:172.16.0.0/24
>
> 3) and help shorewall understand your bridge in /etc/shorewall/zones:
> #ZONE        TYPE    OPTIONS            IN OPT           OUT OPT
> fw                firewall
> world           ipv4
> net               ipv4
> dmz:world    bport
>
> 4) You can then start to define your global policy, in
> /etc/shorewall/policy ("info" loglevel is quite handy when trying to
> understand what's going and can be removed later)
> #SOURCE        DEST        POLICY        LOG LEVEL    LIMIT:BURST
> # Internet Connections
> dmz        net        ACCEPT
> # Allow FW to use internet
> $FW        world        ACCEPT
> net        all        DROP        info
> # THE FOLLOWING POLICY MUST BE LAST
> all        all        REJECT        info
>
> 5) And a simple rules file, in /etc/shorewall/rules, allowing dns, ssh,
> proxmox and ping between vms but not outside:
> #ACTION        SOURCE        DEST        PROTO    DEST  PORT ...
>
> #  Accept DNS connections from the firewall to the network
> DNS(ACCEPT)    dmz        $FW        udp    67
>
> #    Accept SSH connections
> SSH(ACCEPT)    net          $FW
> SSH(ACCEPT)    dmz        $FW
> SSH(ACCEPT)    world       $FW
>
> # Permit access to Proxmox Manager and Console
> ACCEPT        dmz        $FW        tcp    5900:5999
> HTTPS(ACCEPT)    dmz        $FW        tcp    443,8006
> HTTP(ACCEPT)    dmz        $FW
>
> # Allow Ping only within the local vm network
> Ping(ACCEPT)    dmz        dmz
>
>
> There are two key points in this setup. First is to specify the link
> between your interfaces (vmbr0:tap+) and your zones (dmz:world). Second one
> is to define more precisely internal range of the bridge, in hosts file. If
> you do not, shorewall won't be able to distinguish your vm network from the
> internet.
>
> Now that I hope to have gained my "you're not anymore a complete noob in
> shorewall networking" medal, maybe I would be able to see what can I do
> about multiple bridges. It seems there's a start of answer here:
> http://www1.shorewall.net/**bridge-Shorewall-perl.html#**Multiple<http://www1.shorewall.net/bridge-Shorewall-perl.html#Multiple>
>
> According to this page, one should be able to use a logical name in order
> to workaround uniqueness on port name.
>
> --
> Michel Loiseleur
> ______________________________**_________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> http://pve.proxmox.com/cgi-**bin/mailman/listinfo/pve-devel<http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-devel/attachments/20120813/f48dbdb4/attachment-0001.html>


More information about the pve-devel mailing list