Datacenter firewall blocks everything, even though ports are enabled.

R

renstump

New Member
Jun 4, 2023
8
1
3
Everything on one system and in the same network.
I have 3 separate LXC containers (Memos, PostgreSQL, Caddy).
Datacenter firewall is on, Input Policy: Drop, Output Policy: Accept
Node firewall is on
Container firewalls are on, Input Policy: Drop, Output Policy: Accept

Now using the example of the containers mentioned above.

Caddy: 80, 443 ports are open - incoming
Memos: 5230 (incoming) port & Macro PostgreSQL port (outgoing)
PostgreSQL: Macro PostgreSQL port (incoming)


Node:
as Security-Group "proxmox"

Datacenter: see Picture
as Security-Group "proxmox"

The problem is, when the data center firewall is on, I can't ping between the above containers (e.g. within Caddy ping to Memos or within Memos to PostgreSQL or within PostgreSQL to Memos)
If I turn off the data center firewall, I can ping the containers among each other.
I have tried for hours, but have not been able to ping the containers with the data center firewall enabled.

However, I can access my Memos instance from outside.
 

Attachments

  • 08_11_2024_001.png
    08_11_2024_001.png
    34.7 KB · Views: 8
Last edited:
Last edited:
  • Like
Reactions: shanreich
Hello seiji

Yes I have read the firewall section of the Proxmox documentation, but unfortunately I have found the possible cause of my problem.

When I add in/out ICMP protocol rules, I still can't ping.

Edit:
I have now tested further.

Datacenter off, Node on, Container-Firewall on = Ping possible within Containers
Datacenter on, Node off, Container-Firewall on = Ping not possible withing Containers

Datacenter, and Node-Firewall both on
- Caddy on, Memos on, Postgres firewall off = Ping within Caddy to Memos not possible, Ping within Postgres to Memos not possible, Ping within Memos to Postgres possible
- Caddy off, Memos off, Postgres firewall on = Ping within Caddy to Memos possible, Ping within Memos to Postgres not possible, Ping within Postgres to Memos possible
- Caddy on, Memos on, Postgres firewall off = Ping within Caddy to Memos not possible, Ping within Memos to Postgres possible, Ping within Postgres to Memos not possible
- Caddy on, Memos off, Postgres firewall off = Ping within Caddy to Memos possible, Ping within Memos to Postgres possible, Ping within Postgres to Memos possible


root@pve:~# cat /etc/pve/firewall/cluster.fw
[OPTIONS]

policy_in: DROP
enable: 1

[RULES]

GROUP proxmox # with ssh-port 22
|GROUP webserver
IN ACCEPT -p tcp -dport 30005 -log nolog # ssh
|GROUP memos

[group memos]

IN ACCEPT -p tcp -dport 5230 -log nolog
OUT PostgreSQL(ACCEPT) -log nolog
IN PostgreSQL(ACCEPT) -log nolog

[group proxmox]

IN ACCEPT -p tcp -dport 8006 -log nolog
IN ACCEPT -p tcp -dport 5900:5999 -log nolog
IN ACCEPT -p tcp -dport 3128 -log nolog
IN ACCEPT -p tcp -dport 22 -log nolog
IN ACCEPT -p udp -dport 111 -log nolog
OUT ACCEPT -p tcp -dport 25 -log nolog
IN ACCEPT -p udp -dport 5405:5412 -log nolog
IN ACCEPT -p tcp -dport 60000:60050 -log nolog

[group webserver]

IN HTTPS(ACCEPT) -log nolog
IN HTTP(ACCEPT) -log nolog

Any idea?


EDIT:
Ok, got it.
I had to open input ICMP-ping ports/protocol for memos and PostgreSQL containers.
Now I can ping from Caddy to Memos, from Memos to PostgreSQL and from PostgreSQL to Memos.

Thank you

I find the way the firewall works a bit strange. Although I have read the documentation, I also assumed that if I enable ICMP protocol in the data center and/or node, then it would apply from top to bottom: Datacenter -> Node -> Container

And if ICMP protocol is not enabled in the data center, but only in the node, then it applies to all containers and VMs.



I have tested both.

But you actually have to enable ICMP protocol for each individual container, even though it is enabled in the data center and node.
For security reasons, I deactivated it again in the data center and node and only enabled it in the required containers.
 
Last edited:
  • Like
Reactions: seiji
You must log in or register to reply here.
Top Bottom