Shorewall and Proxmox VE Cluster Configuration
This is a follow up article describing how to use Proxmox VE and Shorewall together. This article focus on using Shorewall within your Proxmox cluster. If you have not read the first article I recommend that you do so, it will aid your understanding with what is going in this one.
Network Layout and Shorewall Configuration
We are going to be using a bridging configuration. This is what Proxmox VE uses with by default. Bridging allows for easy migration of hosts without having to re-configure the firewall each time a machine is migrated.
Proxmox VE does not come with a firewall by default there are several solutions to this problem but the most flexible and robust is integrating the Shorewall firewall. This document assumes a basic knowledge of the Shorewall program and will not cover all of Shorewall capabilities but will give you a good working model to get you started. For more advanced topics check out the Shorewall documentation.
Shorewall will have 3 zones: 1) the fw zone which is the Proxmox host, 2) the net zone which is the Internet and 3) the dmz zone which is where the virtual machines will reside. The hardware just has one network interface card; vmbr0 is a just a bridge interface.
Proxmox VE version 1.1 does not ship with a firewall. This is a bad thing for a production server for obvious reasons. Proxmox VE 2.0 is supposed to ship with firewall support built in. Until that time here is an easy script that you can put on your Proxmox VE box to protect it and the virtual machines running on it, if you so choose. This is based off of http://wiki.openvz.org/Setting_up_an_iptables_firewall but works with KVM machines and tailored to a Proxmox install.
Installation and Usage
FireHOL allows you to configure your firewall using a "high-level" language that anyone can read. Meanwhile, it allows all the power and flexibility you have come to expect from iptables.
For several years now I have used SmoothWall Express as a personal firewall on my cable modem connection. I have been very pleased with it and have never had any successful breaches that I have been aware of. Having kids, I knew I would soon need some form of nanny filtering. Early on I investigated Dansguardian and found great support in the Homebrew forums of the SmoothWall community.