[PVE-User] About PVE-Firewall and WebGUI access

Hector Suarez Planas hector.suarez at codesa.co.cu
Mon Nov 16 20:47:32 CET 2015 

...

Shedding light to understand me (sorry for the spanish language of names 
and comments):

- Network ID: 172.16.1.0/24 <http://172.16.1.0/24>
- Hypervisors Proxmox VE: 172.16.1.240 (v4.0) [vmbr0]
- Network Equipment Management:  172.16.1.7

----------------------------

/etc/pve/firewall/clsuter.fw:

[OPTIONS]

enable: 1

[ALIASES]

IP_Equipo_Administrador_Red 172.16.1.7 # Estacion de Trabajo del 
Administrador de la Red
IP_Hipervisor_PRX4-C0-1 172.16.1.240 # Hipervisor con Proxmox VE (PRX4-C0-1)

[IPSET equipos_gestion_servidores]

ip_equipo_administrador_red
ip_equipo_especialista_si

[IPSET hipervisores_proxmox_ve]

ip_hipervisor_prx4-c0-1

[group gestion_hipervisores]

IN ACCEPT -source IP_Equipo_Administrador_Red -dest 
+hipervisores_proxmox_ve -p tcp -dport 8006 -sport 1024:65535 # Gestion 
de Hipervisores Proxmox VE a traves de la Interfaz Grafica WEB (WebGUI)
IN ACCEPT -source IP_Equipo_Administrador_Red -dest 
+hipervisores_proxmox_ve -p tcp -dport 40497 -sport 1024:65535 # Gestion 
de Proxmox VE a traves de SSH (CLI)

/etc/pve/nodes/prx4-c0-1/host.fw:

[OPTIONS]

nf_conntrack_tcp_timeout_established: 7875
nf_conntrack_max: 196608
log_level_in: debug
smurf_log_level: debug
log_level_out: debug
enable: 1
tcp_flags_log_level: debug
tcpflags: 1

[RULES]

GROUP gestion_hipervisores -i vmbr0
IN Ping(ACCEPT) -i vmbr0 -source IP_Equipo_Administrador_Red -dest 
+hipervisores_proxmox_ve # Solamente desde los Equipos de Gestion de la 
Red se puede Pingear a los Hipervisores Proxmox VE

----------------------------

I did a test with the PC with IP address 172.16.1.254 and I reached the 
WebGUI of Proxmox VE without problems.It is assumed that the firewall 
should not allow access because the origin of the connection not part 
from the IP address 172.16.1.6 neither172.16.1.7. :-(

The rule of SSH access working on successfully. :-)

-- 
=====================================
Lic. Hector Suarez Planas
Administrador Nodo CODESA
Santiago de Cuba
-------------------------------------
Blog: http://nihilanthlnxc.cubava.cu/
ICQ ID: 681729738
Conferendo ID: hspcuba
=====================================

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20151116/56089981/attachment.htm>

More information about the pve-user mailing list