Disable firewall from command line

D

dignus

Renowned Member
Feb 12, 2009
181
22
83
Hi,

What is the easiest way to completely disable the firewall from command line, the "proxmox way" ? Someone f*cked up the firewall config and we don't have access to the web interface any more and cluster config is broken.
 
  • Like
Reactions: user984984
Hi,
pve-firewall stop

This stops the firewall until next reboot or update of any packed what restart the pve-firwall.
If you like to disable it permanently , you can do this in the /etc/pve/firewall/cluster.fw
set enable: 1 to 0
 
  • Like
Reactions: akiuni, empirical6355, Ali73 and 2 others
wolfgang said:
Hi,
pve-firewall stop

This stops the firewall until next reboot or update of any packed what restart the pve-firwall.
If you like to disable it permanently , you can do this in the /etc/pve/firewall/cluster.fw
set enable: 1 to 0
Click to expand...
I have very serious problem I can't access now the GUI and teh only system access the server is mounting the files in a recovery system
anyway the VPS works
I try to go to /etc/pve/firewall/cluster.fw but the folder firewall is missing like also to cluster.fw
I really need to get a solution for deactivate the firewall any ideas thanks
 
  • Like
Reactions: rsmvdl
same here. I dont even have this path in my envirnoment "ls: cannot access /mnt/etc/pve/firewall/: No such file or directory"
(/mnt is used because the system is booted in rescue mode).
How to deactivate or reset the firewall via shell?
 
@wolfgang I start the server in rescue mode and change /etc/default/pve-firewall Edit that file and change to START_FIREWALL=no
because I not have /etc/pve/firewall/cluster.fw

That not change the situation I can't access the GUI or go to the server in SSH . Is any solution for this problem Please
 
OK GUYS That problem is the seam in similar POST around here that solution I propose will give you
start the Proxmox and make sure the Firewall is OFF That is a temporally Solution and you need to see
a solution for solve the problem or simple keep the promox firewall OFF


The solution to the problem . And you can after SSh or go to the GUI
And deactivate the firewall for ever

Start your server in recovery mode go to the partition you have mount your files
example : /mnt/etc

Edit the file rc.local
and add the line
pve-firewall stop

That need to look like this

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

pve-firewall stop

exit 0
 
If you have troubles with editing /etc/pve/firewall/cluster.fw, try to disable firewall manually on each cluster's node:
pve-firewall stop
Than
chmod u+w /etc/pve/firewall/cluster.fw
which allows you to edit the file.
After editing start firewall back:
pve-firewall start
 
If anything else fails, edit /etc/crontab and add

* * * * * root pve-firewall stop

Stupid as it is, it's a quick and sure fix. Many things changed with systemd, rc.local etc and we dont know for how many years this thread will be first in Google :) This fix is guaranteed for decades to come, regardless of the distro :)
 
  • Like
Reactions: Nic_, nojstevens and mit
Hi all,
I am also locked out on datacenter level firewall and I don't have any of the files/ paths mentioned here. I have booted in rescue mode and the root partition (md2) is mounted.
No rc.local file to edit. Nothing to edit under /mnt/etc/crontab. No such path to: /mnt/etc/pve/firewall/cluster.fw
Just entering the command pve-firewall stop does not work either....

I am at a loss. Is there a way I can disable the firewall and finally get access to my pve? I heard something about iKVM. How does that work?
Thanks so much for your help. Any hint is appreciated.
 
OK guys. I got it solved!
Best solution I found on this forum that worked for me:
First mount the root partition
chroot to the the partition where you have mount your files. In my case /mnt
chroot /mnt

And then the following code will work like a charm:
Code:
systemctl disable pve-firewall
systemctl mask pve-firewall

Thanks to Fabian in this thread: https://forum.proxmox.com/threads/h...t-datacenter-level-firewall.60557/post-278954

Cheers!
 
  • Like
Reactions: jsabater
Man - if anyone else has this problem I hope this helps because it totally turned my world around.

My servers are about 800 miles away and I lost all access to them and I couldn't get the iDRAC virtual console to open because apparently java is evil.

Anyway - if you're reading this - you don't wanna hear all that crap - here's what I did - if you have two physical servers on the same subnet it may work for you:

1. ssh to the proxmox host that isn't firewalled
2. from that session ssh to the one that is firewalled (NO idea why that worked but)
3. issue pve-firewall stop
4. be really happy you don't have to fly to the data center or risk a helping hands session

I really hope that works for you and, if it doesn't, stay calm, keep thinking, you'll get through this. :)
 
  • Like
Reactions: jec
ttist25 said:
1. ssh to the proxmox host that isn't firewalled
2. from that session ssh to the one that is firewalled (NO idea why that worked but)
Click to expand...
If you look at the default rules that Proxmox adds to the firewall (transparent to the user on the GUI, but you can see them in cli), it has rules to allow various ports between the nodes. Makes sense if you think about it, as it means you don't have to worry about what exactly the hosts need to talk to each other when clustered. If you would like to see what rules they have, you can do pve-firewall compile. PVE uses iptables as the backend (I mention as it took me a while to find that info online).
 
Oleg Zech said:
If anything else fails, edit /etc/crontab and add

* * * * * root pve-firewall stop

Stupid as it is, it's a quick and sure fix. Many things changed with systemd, rc.local etc and we dont know for how many years this thread will be first in Google :) This fix is guaranteed for decades to come, regardless of the distro :)
Click to expand...
That one is simple and works perfectly!!! THANKS
 
ttist25 said:
Man - if anyone else has this problem I hope this helps because it totally turned my world around.

My servers are about 800 miles away and I lost all access to them and I couldn't get the iDRAC virtual console to open because apparently java is evil.

Anyway - if you're reading this - you don't wanna hear all that crap - here's what I did - if you have two physical servers on the same subnet it may work for you:

1. ssh to the proxmox host that isn't firewalled
2. from that session ssh to the one that is firewalled (NO idea why that worked but)
3. issue pve-firewall stop
4. be really happy you don't have to fly to the data center or risk a helping hands session

I really hope that works for you and, if it doesn't, stay calm, keep thinking, you'll get through this. :)
Click to expand...
awesome, can't give you enough Likes, thanks
 
You must log in or register to reply here.
Top Bottom