The following screenshot shows the IPSet named proxmox_nodes with IP addresses for three nodes in our example cluster:
From the IPSet management page, we need to create the IPSet itself first, and then add IPs from the right-hand side IP/CIDR option. IP addresses can be added separately or defined in an entire block using the CIDR value. The IPSet's name can only be alphanumeric, with two special characters: - and _. But when Proxmox displays the IPset in the drop-down list, it adds + as a prefix. This is not part of the IPset's name. If a string is entered as capital letters, it automatically gets changed to lowercase. The following screenshot shows the rules dialog box, where we selected an IPSet for Proxmox nodes in Destination to allow SSH only for Proxmox nodes:
This revised rule will ensure that SSH is only enabled for Proxmox nodes and not VMs. As we can see, in the previous example, when creating rules in the Datacenter zone, it is very important to think about the cascading effect of the Datacenter rules and how it can affect nodes and VMs. It is best to use the Datacenter zone rules for cluster-related traffic and not VMs in any nodes.
After we have created rules to allow SSH and the Proxmox GUI, we are ready to enable the Datacenter-wide Firewall through the Options menu. The following screenshot shows the menu with the Firewall now Enabled:
The preceding screenshot shows a policy that will drop all incoming traffic, but outgoing traffic will be permitted. To have a fully locked down and secured cluster, both policies should be set to DROP. The reason to set the Output Policy to DROP is to prevent malicious traffic leaving the network in the case of malware infection or there being any compromised devices within the internal network. Alternatively, in a multitenant environment, outgoing traffic should be firewalled. This way, we can control the type of traffic that can leave a VM. An example of traffic that should be denied would be ICMP or ping traffic, which will allow one VM to discover other devices in the network.