[SOLVED] Firewall always blocks everything on LXC. IBM x3650 M2 w. onboard NIC

quasihobbyist

New Member
Dec 8, 2019
4
0
1
34
Hello!

Brief description: LXC firewall always blocks everything (outgoing as well as incoming). No problems with VMs.

Hardware: IBM X3650 M2 w. onboard NIC
Proxmox version 6.1

Network configuration:
Bridge w. 1 onboard ethernet port.
Gateway is a run of the mill home router (Asus RT-N12D1)
One sigle /24-address range
Proxmox VE static ip
VMs and LXCs have either static ip or use DHCP
No internal firewalls on the VMs or LXCs

Installed on Debian Buster by following these instructions
https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Buster

systemctl status pve-firewall gives no error messeges.

Everytime I run pve-firewall compile it ends with

Code:
iptables table raw cmdlist:

ip6tables table raw cmdlist:
detected changes

Note "detected changes". Is this normal?

Any ideas? Help appreciated

Thanks to the Proxmox team for this wonderfor piece of software!
 
Last edited:
To get help, please share your firewall config and container config.
 
Cluster firewall
/etc/pve/firewall/cluster.fw
Code:
[OPTIONS]

enable: 1

[ALIASES]

reserved-private1 10.0.0.0/8 # IANA/IETF reserved address space
xclustnet 192.168.3.0/24 # IP range of local network @ xclust
reserved-private2 192.168.0.0/16 # IANA/IETF reserved address space
vpndailin 10.8.0.0/24 # IP range of vpn dail-in

[RULES]

IN SSH(ACCEPT) -log nolog


Host firewall
/etc/pve/nodes/xbox/host.fw
Code:
[RULES]

IN SSH(ACCEPT) -log nolog
IN ACCEPT -source 127.0.0.1 -log nolog
IN REJECT -p tcp -dport 8006 -log nolog


Container firewall
/etc/pve/firewall/105.fw
Code:
[OPTIONS]

enable: 1

[RULES]

IN SSH(ACCEPT) -log nolog


Container config
/etc/pve/lxc/105.conf
Code:
arch: amd64
cores: 1
hostname: test-lxc
memory: 512
net0: bridge=vmbr0,name=eth0,ip=192.168.3.171/24,gw=192.168.3.1,firewall=1
ostype: ubuntu
rootfs: local:105/vm-105-disk-0.raw,size=8G
swap: 512
unprivileged: 1

Tank you
 
After running apt upgrade and systemctl reload pve-firewall, the problem went away. I don't understand how the update might have helped since pve-firewall was not among the packages being upgraded. Neither do I understand how systemctl reload might have helped, since complete reboots hasn't help in the past.

Anyway, problem solved!


Edit: Scratch that. It's back. Sorry for spamming
 
Last edited:
I noticed the MAC-address field in the "Network" tab of the CT:s where empty ("auto"). After setting it, the firewall started working correctly.

Former bug? New CT:s get a MAC address assigned if field is left empty/"auto". Also, changing any other setting on the problematic NICs now gives it a MAC-address.

Problem solved. Have a nice day
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!