cross-posted from: https://lemmy.ninja/post/46230 because the kbin.social proxmox community is still teeny tiny.

I’ve been wondering why traffic seems to get through to LXCs and VMs on ports in spite of the Datacenter firewall being active. It’s my understanding that the Datacenter firewall has an implicit DROP rule (which I confirmed is set) and that once active, it drops all traffic for all nodes and VMs and LXCs under those nodes.

However, when I port-forward port 32400 from my router to a Plex LXC, traffic gets through. If I forward port 80 from my router to my reverse proxy LXC, traffic gets through on that port.

Right now I have the datacenter, node, and VM/LXC firewalls enabled. Only the Datacenter firewall has any rules at all, which are:

  • Allow traffic to port 8006 from all subnets in my local network
  • Allow ICMP traffic from all subnets in my local network.

I confirmed that the input policy is DROP on both the Datacenter and LXC firewalls.

(I’m using Proxmox 8.0.3.)

Why is traffic forwarded from my gateway router making it into my LXCs?

Thanks for any help on this.

  • anon@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    I don’t have experience with Proxmox specifically but usually the policy at play during forwarded traffic is not of the INPUT but of the FORWARD chain.