Creating the Datacenter IPSet

The following screenshot shows the IPSet named proxmox_nodes with IP addresses for three nodes in our example cluster:

From the IPSet management page, we need to create the IPSet itself first, and then add IPs from the right-hand side IP/CIDR option. IP addresses can be added separately or defined in an entire block using the CIDR value. The IPSet's name can only be alphanumeric, with two special characters: - and _. But when Proxmox displays the IPset in the drop-down list, it adds + as a prefix. This is not part of the IPset's name. If a string is entered as capital letters, it automatically gets changed to lowercase. The following screenshot shows the rules dialog box, where we selected an IPSet for Proxmox nodes in Destination to allow SSH only for Proxmox nodes:

 

This revised rule will ensure that SSH is only enabled for Proxmox nodes and not VMs. As we can see, in the previous example, when creating rules in the Datacenter zone, it is very important to think about the cascading effect of the Datacenter rules and how it can affect nodes and VMs. It is best to use the Datacenter zone rules for cluster-related traffic and not VMs in any nodes.

After we have created rules to allow SSH and the Proxmox GUI, we are ready to enable the Datacenter-wide Firewall through the Options menu. The following screenshot shows the menu with the Firewall now Enabled:

 

The preceding screenshot shows a policy that will drop all incoming traffic, but outgoing traffic will be permitted. To have a fully locked down and secured cluster, both policies should be set to DROP. The reason to set the Output Policy to DROP is to prevent malicious traffic leaving the network in the case of malware infection or there being any compromised devices within the internal network. Alternatively, in a multitenant environment, outgoing traffic should be firewalled. This way, we can control the type of traffic that can leave a VM. An example of traffic that should be denied would be ICMP or ping traffic, which will allow one VM to discover other devices in the network.

If both the inbound and outbound firewall rules are set to DENY or DROP, you will likely have to configure all the allowed traffic, even updates and common traffic. If you are implementing DROP for the Input Policy in an already established Proxmox cluster, make sure that you first create all the necessary rules for all VMs and nodes before enabling the Datacenter-wide firewall. Failure to do so will cause all VMs and nodes to drop connectivity.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset