[SOLVED] VM firewall rule having no impact?

C

chrispage1

Well-Known Member
Sep 1, 2021
108
52
48
34
Hi,

I'm having a bit of an odd issue. I have a Windows VM within Proxmox. I don't want port 3389 (TCP) to be open so I am trying to close it using firewall rules.

At a DC level:

Firewall > Options > Firewall > Yes
Firewall > Options > EB Tables > yes
Firewall > Options > Input Policy > yes

At the node level:

Firewall > Options > Firewall > Yes
Firewall > Options > nftables (tech preview) > Yes

At the VM Level:

Firewall > Options > Firewall > Yes
Firewall > Options > Input Policy > Drop

Hardware > Network Device (net0) -> Firewall > Yes

I have then configured a rule as below (directly against the VM):

On: Yes
Type: In
Action: Drop

This is the very first rule in my list - yet the port remains open to the internet. Any ideas why? I've attached my VM FW configuration below.

Code: 
root@pve02:/etc/pve/firewall# cat 110.fw
[OPTIONS]

policy_in: DROP
enable: 1

[RULES]

IN DROP -log info
IN ACCEPT -p udp -dport 41641 -log info # Tailscale UDP
GROUP private_isolated
GROUP vrf-client
|OUT ACCEPT -log info
|OUT ACCEPT -dest 192.168.1.1 -log nolog
|OUT ACCEPT -dest 0.0.0.0/0 -log nolog
|OUT DROP -dest 192.168.1.0/24 -log nolog
|IN ACCEPT -p udp -dport 3389 -log info # rdp_udp

root@pve02:/etc/pve/firewall# cat ../qemu-server/110.conf
### RDP Server
#
#Running Windows, accessible via private LAN only.
agent: 1
balloon: 3072
boot: order=ide0;ide2;net0
cores: 5
cpu: custom-client-custom
ide0: ceph_data_krbd:vm-110-disk-0,discard=on,size=1320G
ide2: none,media=cdrom
machine: pc-i440fx-6.1
memory: 8192
meta: creation-qemu=6.1.0,ctime=1644941837
name: client-rdp
net0: virtio=42:71:50:FC:2E:FE,bridge=VXLAN,firewall=1
numa: 0
onboot: 1
ostype: win10
protection: 1
scsihw: virtio-scsi-pci
smbios1: uuid=c54dffb1-6e46-4db1-9a32-59c56b97d5f3
sockets: 2
tags: isolated;services
vmgenid: e589c056-2535-4ec5-ab57-5c2586968d66
 
_gabriel said:
No iptables PREROUTING rule in host ? (because PREROUTING bypass firewall )
+ try with from another endpoint as current tcp established connection is kept.
Click to expand...

Thanks for your reply! No, iptables is empty.

I have been testing from an online port testing tool - still open at the moment.

However, if I migrate it to another node, the port correctly appears closed. This server needs updating anyway so I might do this and see if we have still have the problem after a reboot.
 
So nodes upgraded and rebooted, still seems to be a problem. I've cross checked the configurations across all nodes and Host > Firewall settings are exactly the same. I've run iptables -L and they are all empty.
 
_gabriel said:
is not enough to show nat/PREROUTING rules.
what about ?
iptables -t nat -L
Click to expand...
Thanks, although this is still empty:

Code: 
root@pve02:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Setting the Windows firewall is certainly an option but I'd like to get to the reason why it is doing this. I've just spun up a test container on pve02 using netcat and the same is happening
 
Ok, so after a little digging around, my Proxmox Firewall service was reporting the below:

Code: 
May 18 16:17:11 pve02 proxmox-firewall[5138]: error updating firewall rules: cannot execute nftables commands
May 18 16:17:16 pve02 proxmox-firewall[5138]: error updating firewall rules: cannot execute nftables commands

I think this was actually triggered by a missing IPSet - restoring the IPSet and restarting the service has pushed it through for me. Thanks for your help @_gabriel
 
  • Like
Reactions: _gabriel
You must log in or register to reply here.
Top Bottom
Back