Alter default firewall rules

X

XN-Matt

Well-Known Member
Aug 21, 2017
92
7
48
43
As per https://forum.proxmox.com/threads/f...vm-comunication-on-the-same-node.21372/page-2, this appears to affect many.

The suggested rule change of
Code: 
 iptables -D PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
does "resolve" this although may not be ideal, does allow traffic to flow.

Could proxmox either debug a fix or allow firewall overrides or a post up config for example?

Disabling the datacentre firewall isn't really a workable solution for most but is the only other fix outside of removing the rule above.
 
Can you please restate the issue, since the original thread is from 2015 and referring to an old version.

Note, firewall rules may apply to the interface (eg. vmbr0) to allow/block traffic.
 
The issue is the same as reported. Whilst the thread is from 2015, there is at least one other post from Feb 2020 which had no reply hence why I opened this afresh.

Essentially this relates to conn tracking. In our case, we're running BGP with VRRP against two difference proxmox servers (with the virtual routes within a VM). With this rule active, when VRRP switches, some devices lose connection due to having no existing connection afforded by that firewall rule.

On removal of said rule, VRRP and essentially data to/from the gateway address on which ever virtual router it sits works as expected.

The same goes for IPv6.

For now, we have this on a regular cron to ensure it is not active incase it is ever re-added on upgrade/restart etc.
 
XN-Matt said:
Essentially this relates to conn tracking. In our case, we're running BGP with VRRP against two difference proxmox servers (with the virtual routes within a VM). With this rule active, when VRRP switches, some devices lose connection due to having no existing connection afforded by that firewall rule.
Click to expand...
For this use case, you can try and uncheck the firewall on the interface(s), so it will be ignored. Or run your own iptables alltogether. See the SDN feature in Proxmox VE it may fit your setup.
https://pve.proxmox.com/pve-docs/chapter-pvesdn.html
 
This does not work. The only way to work around it is disable the fw at datecentre level which means all HV nodes as well as VMs are unprotected.

We'll check out the SDN stuff once it becomes non-experimental.
 
You must log in or register to reply here.
Top Bottom