Datacenter firewall blocks everything, even though ports are enabled.

[renstump]

Everything on one system and in the same network.
I have 3 separate LXC containers (Memos, PostgreSQL, Caddy).
Datacenter firewall is on, Input Policy: Drop, Output Policy: Accept
Node firewall is on
Container firewalls are on, Input Policy: Drop, Output Policy: Accept

Now using the example of the containers mentioned above.

Caddy: 80, 443 ports are open - incoming
Memos: 5230 (incoming) port & Macro PostgreSQL port (outgoing)
PostgreSQL: Macro PostgreSQL port (incoming)


Node:
as Security-Group "proxmox"

Datacenter: see Picture
as Security-Group "proxmox"

The problem is, when the data center firewall is on, I can't ping between the above containers (e.g. within Caddy ping to Memos or within Memos to PostgreSQL or within PostgreSQL to Memos)
If I turn off the data center firewall, I can ping the containers among each other.
I have tried for hours, but have not been able to ping the containers with the data center firewall enabled.

However, I can access my Memos instance from outside.

 

[seiji]

Hello renstump,

I'm also new to Proxmox Forum.
Can you selecting the ICMP protocol and setting the allow rules for both Inbound and Outbound to check the result.
It would also be a good idea to run a continuous ping from a different terminal for verification.

Here is the product guide, I will also review it to learn about the FW rules today:

https://pve.proxmox.com/wiki/Firewall

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall

Hope this helps.

Respectfully.

Seiji

 

[renstump]

Hello seiji

​

Yes I have read the firewall section of the Proxmox documentation, but unfortunately I have found the possible cause of my problem.

When I add in/out ICMP protocol rules, I still can't ping.

Edit:
I have now tested further.

Datacenter off, Node on, Container-Firewall on = Ping possible within Containers
Datacenter on, Node off, Container-Firewall on = Ping not possible withing Containers

Datacenter, and Node-Firewall both on
- Caddy on, Memos on, Postgres firewall off = Ping within Caddy to Memos not possible, Ping within Postgres to Memos not possible, Ping within Memos to Postgres possible
- Caddy off, Memos off, Postgres firewall on = Ping within Caddy to Memos possible, Ping within Memos to Postgres not possible, Ping within Postgres to Memos possible
- Caddy on, Memos on, Postgres firewall off = Ping within Caddy to Memos not possible, Ping within Memos to Postgres possible, Ping within Postgres to Memos not possible
- Caddy on, Memos off, Postgres firewall off = Ping within Caddy to Memos possible, Ping within Memos to Postgres possible, Ping within Postgres to Memos possible


root@pve:~# cat /etc/pve/firewall/cluster.fw
[OPTIONS]

policy_in: DROP
enable: 1

[RULES]

GROUP proxmox # with ssh-port 22
|GROUP webserver
IN ACCEPT -p tcp -dport 30005 -log nolog # ssh
|GROUP memos

[group memos]

IN ACCEPT -p tcp -dport 5230 -log nolog
OUT PostgreSQL(ACCEPT) -log nolog
IN PostgreSQL(ACCEPT) -log nolog

[group proxmox]

IN ACCEPT -p tcp -dport 8006 -log nolog
IN ACCEPT -p tcp -dport 5900:5999 -log nolog
IN ACCEPT -p tcp -dport 3128 -log nolog
IN ACCEPT -p tcp -dport 22 -log nolog
IN ACCEPT -p udp -dport 111 -log nolog
OUT ACCEPT -p tcp -dport 25 -log nolog
IN ACCEPT -p udp -dport 5405:5412 -log nolog
IN ACCEPT -p tcp -dport 60000:60050 -log nolog

[group webserver]

IN HTTPS(ACCEPT) -log nolog
IN HTTP(ACCEPT) -log nolog

Any idea?


EDIT:
Ok, got it.
I had to open input ICMP-ping ports/protocol for memos and PostgreSQL containers.
Now I can ping from Caddy to Memos, from Memos to PostgreSQL and from PostgreSQL to Memos.

Thank you

I find the way the firewall works a bit strange. Although I have read the documentation, I also assumed that if I enable ICMP protocol in the data center and/or node, then it would apply from top to bottom: Datacenter -> Node -> Container

And if ICMP protocol is not enabled in the data center, but only in the node, then it applies to all containers and VMs.



I have tested both.

But you actually have to enable ICMP protocol for each individual container, even though it is enabled in the data center and node.
For security reasons, I deactivated it again in the data center and node and only enabled it in the required containers.

 

[_gabriel]

I deactivated it again in the data center and node and only enabled it in the required containers.

Enabling Firewall at Datacenter level is mandatory, if not, firewall isn't active for the Node and its Guests.