[SOLVED] Cannot access anything after enabling Firewall at datacenter level

T

topkek

New Member
Aug 11, 2022
6
0
1
Hey,
so I was editing some firewall settings and accidentally enabled the Firewall at datacenter level instead of the node level. Now I cannot acces the web interface anymore, only a VM that was configured using NAT, is there any way of disabling the Firewall to get access from the outside? SSH into the node also times out so my only way would be through the internal VM.

I have also set up the node to act as a DHCP Server for created VMs, but when I try to ping the gateway to the node I get a time out. The server is at a hosting provider so I dont have hardware access to disable the firewall datacenter-wide.
 
Last edited:
UPDATE:
I enabled debian rescue mode from the provided server panel and was able to create a file /etc/pve/firewall/cluster.fw containing
"[OPTIONS]
enabled: 0".
After that (and a reboot) I was able to SSH into my server again, but I think I have messed up something with the mountpoints because my pve-cluster service won't start now :D
Following some other threads I ran "journalctl -u pve-cluster" and this is my output:
Code: 
Aug 11 19:13:02 systemd[1]: Starting The Proxmox VE cluster filesystem...
Aug 11 19:13:02 pmxcfs[2928]: fuse: mountpoint is not empty
Aug 11 19:13:02 pmxcfs[2928]: fuse: if you are sure this is safe, use the 'nonempty' mount option
Aug 11 19:13:02 pmxcfs[2928]: [main] crit: fuse_mount error: File exists
Aug 11 19:13:02 pmxcfs[2928]: [main] notice: exit proxmox configuration filesystem (-1)
Aug 11 19:13:02 pmxcfs[2928]: [main] crit: fuse_mount error: File exists

Is this because of my cluster.fw file or is it because of the mountpoints? To add to this, this is the output of lsblk:

Code: 
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0  1.8T  0 disk
├─sda1   8:1    0    1M  0 part
├─sda2   8:2    0  9.3G  0 part /
├─sda3   8:3    0  1.8T  0 part /var/lib/vz
└─sda4   8:4    0  3.7G  0 part [SWAP]
 
From the error i'm guessing there is some file or folder in /etc/pve. You need to move this away before it can mount the config folder there again.

Was the folder empty when you created /etc/pve/firewall/cluster.fw? If so to make sure stop the pve firewall before you do this. Or else it might enable the firewall again when it can mount the /etc/pve filesystem

Code: 
systemctl stop pve-firewall
 
  • Like
Reactions: f1shboll
Thanks for replying!
Yes, the file /etc/pve directory was indeed empty when I created /etc/pve/firewall/cluster.fw

My fear is that the firewall will get enabled again once I remove the file from the pve directory.
So the suggested workflow would be to first stop the firewall, then remove the artificially created cluster.fw file and try to start the pve-cluster service?
 
Last edited:
UPDATE: Issue has been resolved by deleting the cluster.fw file, then rebooting, starting all the pve daemons by hand, disabling cluster-wide firewall from the webinterface and rebooting again. Thanks for the help!
 
You must log in or register to reply here.
Top Bottom