Problem Getting pve firewall to work

[Awmusic12635]

I currently have the firewall disabled. I read in the docs that both ssh and port 8006 needs to be open when you enable the firewall since by default it drops. I added the rules however it still seems to block access to the web console port 8006 when I enable the firewall.

What am I doing wrong?

cat /etc/pve/firewall/cluster.fw

[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

[RULES]
#TYPE ACTION [OPTIONS]
#TYPE MACRO(ACTION) [OPTIONS]

# -i      <INTERFACE>
# -source <SOURCE>
# -dest   <DEST>
# -p      <PROTOCOL>
# -dport  <DESTINATION_PORT>
# -sport  <SOURCE_PORT>

IN SSH(ACCEPT) -i vmbr0
IN ACCEPT -i vmbr0 -dport 8006

 

[Richard]

I added the rules however it still seems to block access to the web console port 8006 when I enable the firewall.

It´s not necessary to make a rule for this. It´s default.

cat /etc/pve/firewall/cluster.fw

[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

[RULES]
#TYPE ACTION [OPTIONS]
#TYPE MACRO(ACTION) [OPTIONS]

# -i      <INTERFACE>
# -source <SOURCE>
# -dest   <DEST>
# -p      <PROTOCOL>
# -dport  <DESTINATION_PORT>
# -sport  <SOURCE_PORT>

IN SSH(ACCEPT) -i vmbr0
IN ACCEPT -i vmbr0 -dport 8006

But you can define a rule, of course. The above has a mistake, correct would be:

IN ACCEPT -i vmbr0 -p tcp -dport 8006

To see more check

iptables-save

 

[Awmusic12635]

It´s not necessary to make a rule for this. It´s default.

If it is default why when the firewall becomes enabled does the web interface become not accessible?

 

[Richard]

If it is default why when the firewall becomes enabled does the web interface become not accessible?

To precise it:

Default "allow access to portal" is only made for the main IP address, i.e. what you configured during installation process assigned to Proxmox´s hostname. Can be found in

cat /etc/hostname
cat /etc/hosts

Moreover: you have a mistake in your firewall config file!

 

[Awmusic12635]

To precise it:

Default "allow access to portal" is only made for the main IP address, i.e. what you configured during installation process assigned to Proxmox´s hostname. Can be found in

cat /etc/hostname
cat /etc/hosts

Moreover: you have a mistake in your firewall config file!

Thank you that did solve the issue of the web panel. One final question, how do I get the firewall to work with my openvz venet containers? Rules added to them seem to have no effect.

 

[Richard]

Thank you that did solve the issue of the web panel. One final question, how do I get the firewall to work with my openvz venet containers? Rules added to them seem to have no effect.

In general: venet0 is not a NIC as usual (also not a virtual one); it is a virtual adapter in the host used by the container. You cannot set a firewall for that.

But you can define a rule for the host instead which will have the required effect - post your settings you tried and give a short description what is the scope.