cross-posted from: https://lemmy.ninja/post/46230 because the kbin.social proxmox community is still teeny tiny.

I’ve been wondering why traffic seems to get through to LXCs and VMs on ports in spite of the Datacenter firewall being active. It’s my understanding that the Datacenter firewall has an implicit DROP rule (which I confirmed is set) and that once active, it drops all traffic for all nodes and VMs and LXCs under those nodes.

However, when I port-forward port 32400 from my router to a Plex LXC, traffic gets through. If I forward port 80 from my router to my reverse proxy LXC, traffic gets through on that port.

Right now I have the datacenter, node, and VM/LXC firewalls enabled. Only the Datacenter firewall has any rules at all, which are:

  • Allow traffic to port 8006 from all subnets in my local network
  • Allow ICMP traffic from all subnets in my local network.

I confirmed that the input policy is DROP on both the Datacenter and LXC firewalls.

(I’m using Proxmox 8.0.3.)

Why is traffic forwarded from my gateway router making it into my LXCs?

Thanks for any help on this.

  • fidde@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    You mention dc, host and vm for the firewall. There is also a separate setting for the vm nic, have you checked that?

    • RotaryKeyboard@lemmy.ninjaOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I’m not familiar with how firewalls for a network interface card work. Unless you mean the firewall in the virtualized operating system?

      • fidde@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        I’m talking about the option under “VM” -> Hardware -> Network device -> Firewall.

        Image

  • anon@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I don’t have experience with Proxmox specifically but usually the policy at play during forwarded traffic is not of the INPUT but of the FORWARD chain.

  • manitcor@lemmy.intai.tech
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    there is a similar issue when running docker on ubuntu with UFW, the containers bypass the firewall without updates to routing.

    I expect the details here are different but it sounds like largely the same issue.