Disable firewall from command line

dignus

Active Member
Feb 12, 2009
95
0
26
Hi,

What is the easiest way to completely disable the firewall from command line, the "proxmox way" ? Someone f*cked up the firewall config and we don't have access to the web interface any more and cluster config is broken.
 

wolfgang

Proxmox Retired Staff
Retired Staff
Oct 1, 2014
6,496
496
103
Hi,
pve-firewall stop

This stops the firewall until next reboot or update of any packed what restart the pve-firwall.
If you like to disable it permanently , you can do this in the /etc/pve/firewall/cluster.fw
set enable: 1 to 0
 

gineta

New Member
May 16, 2012
12
2
3
Hi,
pve-firewall stop

This stops the firewall until next reboot or update of any packed what restart the pve-firwall.
If you like to disable it permanently , you can do this in the /etc/pve/firewall/cluster.fw
set enable: 1 to 0
I have very serious problem I can't access now the GUI and teh only system access the server is mounting the files in a recovery system
anyway the VPS works
I try to go to /etc/pve/firewall/cluster.fw but the folder firewall is missing like also to cluster.fw
I really need to get a solution for deactivate the firewall any ideas thanks
 
  • Like
Reactions: rsmvdl

rsmvdl

Member
Jul 15, 2016
32
3
13
30
same here. I dont even have this path in my envirnoment "ls: cannot access /mnt/etc/pve/firewall/: No such file or directory"
(/mnt is used because the system is booted in rescue mode).
How to deactivate or reset the firewall via shell?
 

gineta

New Member
May 16, 2012
12
2
3
@wolfgang I start the server in rescue mode and change /etc/default/pve-firewall Edit that file and change to START_FIREWALL=no
because I not have /etc/pve/firewall/cluster.fw

That not change the situation I can't access the GUI or go to the server in SSH . Is any solution for this problem Please
 

gineta

New Member
May 16, 2012
12
2
3
OK GUYS That problem is the seam in similar POST around here that solution I propose will give you
start the Proxmox and make sure the Firewall is OFF That is a temporally Solution and you need to see
a solution for solve the problem or simple keep the promox firewall OFF


The solution to the problem . And you can after SSh or go to the GUI
And deactivate the firewall for ever

Start your server in recovery mode go to the partition you have mount your files
example : /mnt/etc

Edit the file rc.local
and add the line
pve-firewall stop

That need to look like this

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

pve-firewall stop

exit 0
 

ignaqui

New Member
Jan 12, 2017
13
3
3
43
If you have troubles with editing /etc/pve/firewall/cluster.fw, try to disable firewall manually on each cluster's node:
pve-firewall stop
Than
chmod u+w /etc/pve/firewall/cluster.fw
which allows you to edit the file.
After editing start firewall back:
pve-firewall start
 

Oleg Zech

New Member
Jul 19, 2019
1
2
1
50
If anything else fails, edit /etc/crontab and add

* * * * * root pve-firewall stop

Stupid as it is, it's a quick and sure fix. Many things changed with systemd, rc.local etc and we dont know for how many years this thread will be first in Google :) This fix is guaranteed for decades to come, regardless of the distro :)
 
  • Like
Reactions: nojstevens and mit

p.roxy

New Member
Mar 19, 2020
2
1
1
35
Hi all,
I am also locked out on datacenter level firewall and I don't have any of the files/ paths mentioned here. I have booted in rescue mode and the root partition (md2) is mounted.
No rc.local file to edit. Nothing to edit under /mnt/etc/crontab. No such path to: /mnt/etc/pve/firewall/cluster.fw
Just entering the command pve-firewall stop does not work either....

I am at a loss. Is there a way I can disable the firewall and finally get access to my pve? I heard something about iKVM. How does that work?
Thanks so much for your help. Any hint is appreciated.
 

p.roxy

New Member
Mar 19, 2020
2
1
1
35
OK guys. I got it solved!
Best solution I found on this forum that worked for me:
First mount the root partition
chroot to the the partition where you have mount your files. In my case /mnt
chroot /mnt

And then the following code will work like a charm:
Code:
systemctl disable pve-firewall
systemctl mask pve-firewall

Thanks to Fabian in this thread: https://forum.proxmox.com/threads/h...t-datacenter-level-firewall.60557/post-278954

Cheers!
 
  • Like
Reactions: jsabater

ttist25

Active Member
May 17, 2012
34
1
28
Man - if anyone else has this problem I hope this helps because it totally turned my world around.

My servers are about 800 miles away and I lost all access to them and I couldn't get the iDRAC virtual console to open because apparently java is evil.

Anyway - if you're reading this - you don't wanna hear all that crap - here's what I did - if you have two physical servers on the same subnet it may work for you:

1. ssh to the proxmox host that isn't firewalled
2. from that session ssh to the one that is firewalled (NO idea why that worked but)
3. issue pve-firewall stop
4. be really happy you don't have to fly to the data center or risk a helping hands session

I really hope that works for you and, if it doesn't, stay calm, keep thinking, you'll get through this. :)
 

dylan.uia0

New Member
Mar 28, 2022
1
0
1
1. ssh to the proxmox host that isn't firewalled
2. from that session ssh to the one that is firewalled (NO idea why that worked but)
If you look at the default rules that Proxmox adds to the firewall (transparent to the user on the GUI, but you can see them in cli), it has rules to allow various ports between the nodes. Makes sense if you think about it, as it means you don't have to worry about what exactly the hosts need to talk to each other when clustered. If you would like to see what rules they have, you can do pve-firewall compile. PVE uses iptables as the backend (I mention as it took me a while to find that info online).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!