Firewall no function correct

Virtualizer

Active Member
Dec 19, 2011
90
5
28
Dear,

the documentation for the firewall is not the hit!

So I have make many tests and I cant understand, why not working correct!

First the host is a dedicated server in OVH. This working via IP throu MAC to the eth0 linked to vmbr0!
We are not working with clusters! So in the configuration of Proxmox-Datacenter is only this host!

a) I have enabled in Datacenter the firewall and in the host! Just in this moment I have done, the communication
between Proxmox GUI to the Firewall-Settings is inoperable! The Default-Setting with comming with the updates,
are setting in datacenter on Input-Policy DROP. When I change the firewallmode to 0 direct in the cluster.fs
then the GUI can handle the settings! Many other tests fails too!

b) I have add rule for an Ping from the Operating Center to the host. In this setting no ping is working, equal when
I use the interface eth0 or vmbr0, Protocol icmp and the IP ACCEPT.

b) Ok now I have set in the Datacenter the standard setting shull been Input-Policy ACCEPT and then I have create
a rule to block Ping from an other computer from outside to this host IP. The Rule is enable, but a ping is possible.
Thats equal as I set the interface to net0 or eth0 or vmbr0. All pings are going throu! I can set the rules in Datacenter
or in the Host, every time the same! And yes the firewall is enabled and iptables -L shows me the rulesettings and
pve-firewall status is working without errors!

c) I have test the same rule DROP ping from an IP from a container to the host and in the rule setting interface eth0 or
vmbr0. The ping is going throu and they dont drop the pings.

So in the docmentation is written interface net0 - Is this a logical interface, when clustering is used only?
Is that possible, that the firewall is not working correct, when its going via MAC?


Regards

Detlef
 
Dear tempelfield,

PVE-Firewall works fine, but only when you not enable a container with IPv6 - otherwise firewall will not work about a bug!

So, you must check via SSH:

vzlist -a -o ctid,ip | grep ':'

this list to control with the /etc/pve/firewall - directory!

When you have in the first list a container with IPv6, then a file expl. 123.fw does not exists or firewall will not work! When
you make a copy expl of 123.fw to 246.fw and you have an ipv6 inside, you make a restart of the firewall, expl.:

pve-firewall stop
pve-firewall start
or service pve-firewall restart

You can check this with:

iptables -L -n

when you get only the stanard 3 - 6 lines, then PVE-Firewall is not working! So delete in /etc/pve/firewall the containers
with IPv6 and restart the firewall!

OK, then next steps:

A. Open a SSH-Terminal, so you can everytime shutoff the firewall - otherwise possible you cant work anymore and possible
you must make climb steps!

So you must set 3 times firewall settings:

Options in Datacenter:
INPUT-Policy: ACCEPT
OUTPUT-Policy: ACCEPT
check the settings are ok - important!
Enable now Firewall!
Options in Host
Smurfs-Filter and TCP-Flag-Filters: YES
nf_* to default
*log* to nolog
Enable Firewall now
Options in Container:
Please sure, that you have not an IPv6 in your network settings!!!!
Then Options:
INPUT-POLICY: ACCEPT
OUTPUT-POLICY: ACCEPT
other as standard
check your settings, that are correct before enable Firewall
Enable Firewall for the Container!

OK, now we will check how Firewall works:

In SSH you make an

iptables -L

and you see a lot of entries - ok then firewall is working!

Next step, we will block an incomming IP to containers or host:

In settings of Datacenter:

Firewall - look down and use IPSets
Left Site in IPSets for Datacenter, make an ADD
named correct a new IPSet as blacklist
then save
Click left site the new IPSet and go to the right site
add the IP, you will block, expl. an IP inside an container to an host
or other container with an separate IP (best is a public IP)

Be careful, that you dont click "nomatch" !!!
Now check, that from the IP, you cant ping to host or other containers!
Check when you have the possiblity from an axternal IP too!
You will see, firewall is working good!

So all IPs in blacklist are blocked on all containers and host, when firewall is
enabled and now you can begin to create your own security!

Now, how we can see in SSH:

via
iptables -L -n
we can see a lot of rules

and via
ipset list
we see the IPs of all ipsets (expl. the 1 we have blocked in the blacklist)
use man ipset for more informations!

I hope this helps!

Detlef
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!