13.10. Tips and Tricks

FTP is an old style protocol which uses port 21 and several other dynamic ports. So you need a rule to accept port 21. In addition, you need to load the ip_conntrack_ftp module. So please run:

modprobe ip_conntrack_ftp

and add ip_conntrack_ftp to /etc/modules (so that it works after a reboot).

If you want to use the Suricata IPS (Intrusion Prevention System), it’s possible.

Packets will be forwarded to the IPS only after the firewall ACCEPTed them.

Rejected/Dropped firewall packets don’t go to the IPS.

Install suricata on proxmox host:

# apt-get install suricata
# modprobe nfnetlink_queue

Don’t forget to add nfnetlink_queue to /etc/modules for next reboot.

Then, enable IPS for a specific VM with:

# /etc/pve/firewall/<VMID>.fw

[OPTIONS]
ips: 1
ips_queues: 0

ips_queues will bind a specific cpu queue for this VM.

Available queues are defined in

# /etc/default/suricata
NFQUEUE=0