cross-posted from: https://lemmy.ninja/post/46230 because the kbin.social proxmox community is still teeny tiny.
I’ve been wondering why traffic seems to get through to LXCs and VMs on ports in spite of the Datacenter firewall being active. It’s my understanding that the Datacenter firewall has an implicit DROP rule (which I confirmed is set) and that once active, it drops all traffic for all nodes and VMs and LXCs under those nodes.
However, when I port-forward port 32400 from my router to a Plex LXC, traffic gets through. If I forward port 80 from my router to my reverse proxy LXC, traffic gets through on that port.
Right now I have the datacenter, node, and VM/LXC firewalls enabled. Only the Datacenter firewall has any rules at all, which are:
- Allow traffic to port 8006 from all subnets in my local network
- Allow ICMP traffic from all subnets in my local network.
I confirmed that the input policy is DROP on both the Datacenter and LXC firewalls.
(I’m using Proxmox 8.0.3.)
Why is traffic forwarded from my gateway router making it into my LXCs?
Thanks for any help on this.
You mention dc, host and vm for the firewall. There is also a separate setting for the vm nic, have you checked that?
I’m not familiar with how firewalls for a network interface card work. Unless you mean the firewall in the virtualized operating system?
I’m talking about the option under “VM” -> Hardware -> Network device -> Firewall.
I don’t have experience with Proxmox specifically but usually the policy at play during forwarded traffic is not of the
INPUT
but of theFORWARD
chain.there is a similar issue when running docker on ubuntu with UFW, the containers bypass the firewall without updates to routing.
I expect the details here are different but it sounds like largely the same issue.