firewall behaviour has changed

[emOne]

Hello,

so I recently upgraded to 6.07 from 6.06 after experiencing a bug entering IPs in the firewall rules.

The way the firewall worked before was when I turned it on at a datacentre level, my PVE hypervisor (8006) would become firewalled.
I would apply my exceptions in the datacentre rules.
My nodes would not be affected by the datacentre firewall.

Now when I switch on the datacentre firewall alone it doesn't seem to be doing anything. I can still reach port 8006, ssh and probably everything else.

As a temporary solution I have activated both datacentre firewalls and the node group firewall.
This correctly deactivates port 8006 from the outside, but also blocks all ports to the individual node servers. This means I have to set exceptions for things like port 80.

Am I doing something wrong? Is this normal behaviour?

 

[Chris]

Hello,

so I recently upgraded to 6.07 from 6.06 after experiencing a bug entering IPs in the firewall rules.

The way the firewall worked before was when I turned it on at a datacentre level, my PVE hypervisor (8006) would become firewalled.
I would apply my exceptions in the datacentre rules.
My nodes would not be affected by the datacentre firewall.

Now when I switch on the datacentre firewall alone it doesn't seem to be doing anything. I can still reach port 8006, ssh and probably everything else.

As a temporary solution I have activated both datacentre firewalls and the node group firewall.
This correctly deactivates port 8006 from the outside, but also blocks all ports to the individual node servers. This means I have to set exceptions for things like port 80.

Am I doing something wrong? Is this normal behaviour?

Hi,
to enable the firewall on the host level, both the datacenter and host firewall have to be enabled. This is the default behavior since long, not just a recent change.
Further, for VMs/CTs VM/CT firewall has to be enabled individually, as well as for the corresponding NICs. The NICs firewall flag is now set to default 'enabled' in the WebUI, as this is what you want in most cases and only applies if the VMs/CTs firewall is enabled as well anyway.
See here for more details https://pve.proxmox.com/pve-docs/pve-admin-guide.html#chapter_pve_firewall

 

[emOne]

What I mean is that I would like to have different firewall rules for the hypervisor and the nodes.

Is that possible? How?

 

[Chris]

What I mean is that I would like to have different firewall rules for the hypervisor and the nodes.

Is that possible? How?

I don't know if I understand you correctly, but rules defined at datacenter level are inherited to the nodes, but not the VMs/CTs. So if you want to define rules for all the nodes you can do that at cluster level. If you want to define rules for individual cluster nodes (hosts) you can define those at host level. Last but not least you can define rules for individual VMs/CTs which are independent of the rules defined for cluster/hosts.
Please see the examples in the documentation.

 

[emOne]

Thank you for the input. Everything seems to be working as usual now. I am not sure why the firewall was giving me issues...

I could swear the firewall just randomly stopped working on the 6.06 version. Everything seems to be back to normal now after updating and restarting the firewall from the CLI.