Merge branch 'master' of github.com:HON95/wiki

config/server/proxmox-ve.md

@@ -32,29 +32,31 @@ breadcrumbs:
 
 ### Initial Configuration
 
-Follow the instructions for [Debian server basic setup](../debian-server/#initial-setup), but with the following exceptions and extra steps:
+Follow the instructions for [Debian server basic setup](../debian/#initial-setup), but with the following exceptions and extra steps:
 
 1. Before installing updates, setup the PVE repos (assuming no subscription):
-    1. In `/etc/apt/sources.list.d/pve-enterprise.list`, comment out the Enterprise repo.
-    1. In `/etc/apt/sources.list`, add the PVE No-Subscription repo: `deb http://download.proxmox.com/debian/pve buster pve-no-subscription`
+    1. Comment out all content from `/etc/apt/sources.list.d/pve-enterprise.list` to disable the enterprise repo.
+    1. Create `/etc/apt/sources.list.d/pve-no-subscription.list` containing `deb http://download.proxmox.com/debian/pve buster pve-no-subscription` to enable the no-subscription repo.
     1. More info: [Proxmox VE: Package Repositories](https://pve.proxmox.com/wiki/Package_Repositories#sysadmin_no_subscription_repo)
 1. Don't install any of the firmware packages, it will remove the PVE firmware packages.
 1. Update network config and hostname:
     1. Do NOT manually modify the configs for network, DNS, NTP, firewall, etc. as specified in the Debian guide.
-    1. Install `ifupdown2`.
+    1. (Optional) Install `ifupdown2` to enable live network reloading. This does not work if using OVS interfaces.
     1. Update network config: Use the web GUI.
-    1. (Optional) Update hostname: See the Debian guide.
-    1. Update `/etc/hosts`: The short and FQDN hostnames must resolve to the IPv4 and IPv6 management address.
+    1. (Optional) Update hostname: See the Debian guide. Note that the short and FQDN hostnames must resolve to the IPv4 and IPv6 management address to avoid breaking the GUI.
 1. Update MOTD:
     1. Disable the special PVE banner: `systemctl disable --now pvebanner.service`
     1. Clear or update `/etc/issue` and `/etc/motd`.
     1. (Optional) Set up dynamic MOTD: See the Debian guide.
 1. Setup firewall:
     1. Open an SSH session, as this will prevent full lock-out.
-    1. Enable the cluster/datacenter firewall.
-    1. Disable NDP. This is because of a vulnerability in Proxmox where it autoconfigures itself on all bridges.
-    1. Add incoming rules on the management network for NDP (ICMPv6), ping (macro), SSH (macro) and the web GUI (TCP port 8006).
-    1. Enable the host/node firewall.
+    1. Go to the datacenter firewall page.
+    1. Enable the datacenter firewall.
+    1. Add incoming rules on the management network for NDP (ipv6-icmp), ping (macro ping), SSH (tcp 22) and the web GUI (tcp 8006).
+    1. Go to the host firewall page.
+    1. Enable the host firewall (TODO disable and re-enable to make sure).
+    1. Disable NDP on the nodes. (This is because of a vulnerability in Proxmox where it autoconfigures itself on all bridges.)
+    1. Enable TCP flags filter to block illegal TCP flag combinations.
     1. Make sure ping, SSH and the web GUI is working both for IPv4 and IPv6.
 1. Set up storage:
     1. Create a ZFS pool or something.