enable firewall at container creation

C

CanadaGuy

Well-Known Member
Nov 19, 2019
53
6
48
42
The default settings for container creation (I don't think I changed any defaults) is the following:
1662384287356.png
I have been assuming that the check mark beside Firewall means that the container firewall will be enabled after creation. However, this is never the case, and I always need to enable it manually on every container I create for it to take effect (the container Firewall is intially unchecked...checking it fixes things).

Is this a bug or perhaps someone can explain the logic to me?
 
According to manual:
firewall=<boolean>
Controls whether this interface’s firewall rules should be used.
Click to expand...
But no detailed explanation what it actually does. My guess would be the following:
Lets say you got 3 virtual NICs eno0, eno1, eno2. You check the "firewall" box for eno0 and eno1 but not for eno3. Firewall Rules are just to drop all incoming packets. When you then enable the firewall for that LXC, it maybe just drops packets on eno0 and eno1 but not on eno2, as eno2 would not use any firewall?
 
Dunuin said:
According to manual:

But no detailed explanation what it actually does. My guess would be the following:
Lets say you got 3 virtual NICs eno0, eno1, eno2. You check the "firewall" box for eno0 and eno1 but not for eno3. Firewall Rules are just to drop all incoming packets. When you then enable the firewall for that LXC, it maybe just drops packets on eno0 and eno1 but not on eno2, as eno2 would not use any firewall?
Click to expand...
hmm, so I hadn't even considered the interface ramifications of such a setting. I guess I just assumed that the PVE firewall sits on the virtual switch/router of all interfaces. Does this mean it isn't entirely clear to you as well?
 
Hi all,

I know this is an old post, but I had the same question and was having issues with a samba server that had this checkbox active. Once it was unchecked it worked. So I started investigating.

This was a bit of trial and error, so I wouldn't be surprised if it is all wrong.

From my findings, this seems to apply the firewall rules from the bridged interface.
Because I went to the bridged interface and added firewall rule to allow all and checked the box and it started working.

More context:
I have a container running my samba server.
This container has an interface called eth0 which is bridged to vmbr0 (proxmox node interface)
eth0 had the checkbox "Firewall" on
and in my node I set a firewall rule to vmbr0 to allow all
This made it start to work.
Note: Meanwhile firewall is disabled in my cluster and node. When I go to Network > Options > Firewall is set to "No" ‍♂️

I personally think that the firewall rules can be streamlined as right now there are so many places for it and it is hard for me to understand where rules will apply or not.

Hope this helps!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom