Search results

The eight rule in the snippet that you've just pasted contradicts what you say in post #8. So, no, this isn't about adapting anything. Your advice means you're interfering with the logic of the firewall by bypassing the first rules (related to all sorts of invalid packets, 1 to 7 in your case)...

I don't think that's good advice. The firewall should take care of the FORWARD rules, and as a permanent solution I don't think you should do that. It would be a good test just for debugging purposes to see if it works. Otherwise you're interefering with the logic of the firewall. And if the...

I realised that this rule: -A PREROUTING -i fwbr+ -j CT --zone 1 was missing from the raw chain. After adding it, it worked. The packets need a separate conntrack zone in order for SNAT to work, otherwise they're considered "known" (so not new), and will not travel through the nat (POSTROUTING)...

Ok, try disabling it (if it's safe to do that) and it might work. At least to test if this is the cause. There's also the VM-level firewall - you select the VM (Firewall – Options) and the network interface FW – you select the VM (Hardware – Network device, click on it, uncheck "Firewall"), in...

I think you've misread the question. I am asking if the firewall is enabled/on and I'm making a clear distinction between configuring firewall rules and enabling the firewall. I don't have any firewall rules, but the firewall is enabled.

Is the firewall enabled by any chance, even if you don't have any rules set up? Datacenter/VM level/network interface level? In my case SNAT doesn't work at all when I enable the firewall (version 8.2.7, kernel version 6.8.12-1)

This isn't working in my case on 8.2.7 with kernel version 6.8.12-1. I've just come across this thread after trying to understand what's happening. It's clear that the host simply ignores the SNAT rule when the VM firewall (interface + VM level) and forwards the packet without translation the...

Hello, When proxmox authenticates against keycloak, you can configure the issuer-url for keycloak using the following url: https://example.com/realms/my_realm And this works just ok in my case. Now, with keycloak there's an option for the client to specify what identity provider should be...

Wenn du keine genauen Details über die Firewall von der VM teilst, dann ist es unmöglich zu erklären, woher das Problem kommt. Auf jeden Fall scheint es auf den ersten Blick eine Konfigurationsproblem mit der Firewall zu sein und nichts anders.

Let me then offer a little bit of context. This is a newly installed Proxmox instance. I started with 8.1.4 (if I remember correctly) then upgraded to 8.1.10. I did play a little bit with lxc profiles in order to get that access to the network interface for nebula (as mentioned in post #3), but...

Yes, I've actually already tried this, but forgot to mention. So removing these lines and disabling nesting will result in the same apparmor error in the host syslog and permission denied/NAMESPACE-related error inside the container.

I see. That's interesting, yes. I would then like to understand where the problem might be.

Well, if you have nesting enabled, then how is your answer relevant to this topic? I might be misreading your reply though.

I should have mentioned it from the beginning, I'm not sure how it slipped. When I start the nftables service ("systemctl start nftables"), I got the above-mentioned error. Inside the container I got: I was able to circumvent this by enabling nesting on the container. But I think this gives too...

Hello, I'm trying to run nftables to do some routing inside an lxc-container, but I keep getting this error: nftables seems to be installed by default in the Debian 12 lxc-container image, so I'm not sure why this isn't working out of the box. In any case, what would be the most sensible way...

Just as a note: you don't need to enable the Firewall at the node level in order to protect the virtual machines or the containers. It's enough to enable it at the datacenter level. Enabling it at the node level is a good idea to protect the node itself, sure, but many rules at the datacenter...

hostname -f shows pve1.example.com. So to what extent should I be worried?

Hello, I would like to change the FQDN in a cluster which we mainly use to access the administrative interface. I see that in /etc/hosts both the fqdn and the one-label names are set: 127.0.0.1 localhost.localdomain localhost 10.88.88.231 pve1.example.com pve1 10.88.88.232 pve2.example.com...

@jdancer Would you mind sharing what do you go by when setting the minimum and maximum limits for the RAM with ballooning turned on?

I often had issues with the VMs not seeing all the available memory and that would lead to OOM. Also, if the minimum limit is too low, the VM might not even boot and get into kernel panic directly, as the virtual machine might see only that minium available memory, which I actually don't...