Search results

Apparmor is not installed in the container, it's on the host, which controls the container. So what did you actually do to solve this?

Is there no way to allow access to dmesg without running a privileged container?

Your post stinks of LLM output, it sounds both robotic and useless. That said, if you're not advocating for creating bridges inside every virtual machine, then why respond in the first place? I've never said you shouldn't use bridges on the Proxmox host. Also, saying that you wouldn't use...

I don't buy that and I think it's overcomplicated. There's no reason to set up bridge interfaces inside the virtual machines too. You can very easily add and remove interfaces whenever you want and associate them to whatever VLAN you want, so that wouldn't compromise consistency and flexibility...

The eight rule in the snippet that you've just pasted contradicts what you say in post #8. So, no, this isn't about adapting anything. Your advice means you're interfering with the logic of the firewall by bypassing the first rules (related to all sorts of invalid packets, 1 to 7 in your case)...

I don't think that's good advice. The firewall should take care of the FORWARD rules, and as a permanent solution I don't think you should do that. It would be a good test just for debugging purposes to see if it works. Otherwise you're interefering with the logic of the firewall. And if the...

I realised that this rule: -A PREROUTING -i fwbr+ -j CT --zone 1 was missing from the raw chain. After adding it, it worked. The packets need a separate conntrack zone in order for SNAT to work, otherwise they're considered "known" (so not new), and will not travel through the nat (POSTROUTING)...

Ok, try disabling it (if it's safe to do that) and it might work. At least to test if this is the cause. There's also the VM-level firewall - you select the VM (Firewall – Options) and the network interface FW – you select the VM (Hardware – Network device, click on it, uncheck "Firewall"), in...

I think you've misread the question. I am asking if the firewall is enabled/on and I'm making a clear distinction between configuring firewall rules and enabling the firewall. I don't have any firewall rules, but the firewall is enabled.

Is the firewall enabled by any chance, even if you don't have any rules set up? Datacenter/VM level/network interface level? In my case SNAT doesn't work at all when I enable the firewall (version 8.2.7, kernel version 6.8.12-1)

This isn't working in my case on 8.2.7 with kernel version 6.8.12-1. I've just come across this thread after trying to understand what's happening. It's clear that the host simply ignores the SNAT rule when the VM firewall (interface + VM level) and forwards the packet without translation the...

Hello, When proxmox authenticates against keycloak, you can configure the issuer-url for keycloak using the following url: https://example.com/realms/my_realm And this works just ok in my case. Now, with keycloak there's an option for the client to specify what identity provider should be...

Wenn du keine genauen Details über die Firewall von der VM teilst, dann ist es unmöglich zu erklären, woher das Problem kommt. Auf jeden Fall scheint es auf den ersten Blick eine Konfigurationsproblem mit der Firewall zu sein und nichts anders.

Let me then offer a little bit of context. This is a newly installed Proxmox instance. I started with 8.1.4 (if I remember correctly) then upgraded to 8.1.10. I did play a little bit with lxc profiles in order to get that access to the network interface for nebula (as mentioned in post #3), but...

Yes, I've actually already tried this, but forgot to mention. So removing these lines and disabling nesting will result in the same apparmor error in the host syslog and permission denied/NAMESPACE-related error inside the container.

I see. That's interesting, yes. I would then like to understand where the problem might be.

Well, if you have nesting enabled, then how is your answer relevant to this topic? I might be misreading your reply though.

I should have mentioned it from the beginning, I'm not sure how it slipped. When I start the nftables service ("systemctl start nftables"), I got the above-mentioned error. Inside the container I got: I was able to circumvent this by enabling nesting on the container. But I think this gives too...

Hello, I'm trying to run nftables to do some routing inside an lxc-container, but I keep getting this error: nftables seems to be installed by default in the Debian 12 lxc-container image, so I'm not sure why this isn't working out of the box. In any case, what would be the most sensible way...

Just as a note: you don't need to enable the Firewall at the node level in order to protect the virtual machines or the containers. It's enough to enable it at the datacenter level. Enabling it at the node level is a good idea to protect the node itself, sure, but many rules at the datacenter...