Hi all, apologies for what is probably a pretty basic user error... but I haven't been able to find the answer in the documentation or searching through here.
I have a new PVE installation with a single node behind my home router. I have enabled the firewall at "Datacenter" level without changing any other settings - so the default for "Input policy" is DROP. I then also enabled the firewall for the node, again without changing any other settings. From reading the documentation I thought this was all I needed to do to block everything except for my LAN accessing ports for SSH and the management interface. But it is seemingly not filtering anything...
To test I enabled forwarding for UDP port 33333 on the router (will be used for wireguard later) and started sending packets, watching with tcpdump, and they went through. I thought maybe this was because I did it from a machine on the local network, so I tried again from a remote host, with the same results.
I have tried restarting the firewall service, pve-firewall status reports it is running, etc. The generated iptables look right to me, a novice. How do I get my firewall to actually run? I hope there is something obvious I am missing in the interface...
Note that this is a question about the firewall at the node level - I have found lots of posts about enabling it for VMs and how you have to enable the firewall for each network interface.
I have a new PVE installation with a single node behind my home router. I have enabled the firewall at "Datacenter" level without changing any other settings - so the default for "Input policy" is DROP. I then also enabled the firewall for the node, again without changing any other settings. From reading the documentation I thought this was all I needed to do to block everything except for my LAN accessing ports for SSH and the management interface. But it is seemingly not filtering anything...
To test I enabled forwarding for UDP port 33333 on the router (will be used for wireguard later) and started sending packets, watching with tcpdump, and they went through. I thought maybe this was because I did it from a machine on the local network, so I tried again from a remote host, with the same results.
Code:
root@pve:~# tcpdump -i enp4s0 'udp port 33333'
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:58:44.028790 IP 199.43.4.28.44692 > pve.xxxx.33333: UDP, length 1
11:58:44.033341 IP 199.43.4.28.44692 > pve.xxxx.33333: UDP, length 1
11:58:44.033368 IP 199.43.4.28.44692 > pve.xxxx.33333: UDP, length 1
11:58:44.033371 IP 199.43.4.28.44692 > pve.xxxx.33333: UDP, length 1I have tried restarting the firewall service, pve-firewall status reports it is running, etc. The generated iptables look right to me, a novice. How do I get my firewall to actually run? I hope there is something obvious I am missing in the interface...
Note that this is a question about the firewall at the node level - I have found lots of posts about enabling it for VMs and how you have to enable the firewall for each network interface.
