firewall GUI default rule not working

B

BartmanEH

New Member
Sep 8, 2015
4
0
1
As noted in another thread (can't post links yet: forum.proxmox.com/threads/22923-pve-Firewall-Default-policy-on-node-and-VM-level-And-how-to-make-it-works-with-CT?p=117671#post117671), I concur that the default firewall rule set in Datacenter->Firewall->Options as Input policy->DROP does not work as expected. I expect this to drop any incoming connections except those I explicitly set in the Rules directly via included Security Groups. However, when I disable the Security Group rule I have for ssh, I can still connect with ssh. So I've added a general catch-all DROP rule and dragged it to be the last rule in my list because the order of precedence in the Proxmox Firewall Rules GUI.

Has anyone else found the default Input Policy doesn't work as expected?
 
Last edited:
In fact the situation is more problematic than I thought - if I add an In->DROP rule I can't connect using Security Group rules no matter if the In->DROP rule is before or after the Security Group rule in the GUI.
[EDIT]
So I removed this catch-all DROP rule and further experimented. I get different behavior when I try to connect from the local LAN versus externally via NAT onto the LAN. When I enable the Datacenter firewall with Security Group that allows ports 8006 and 22, I cannot connect via NAT onto the LAN but I can connect via the local LAN. In fact, I can connect with ssh from the local LAN whether the Security Group includes the ssh port rule or not (disabled by unchecking it). So I am thoroughly confused about how the firewall works.
 
Last edited:
I think I can chock this up to my inexperience working with iptables: I've removed the source port settings from my rules and I think it's working now :) Testing continues...
EDIT: I still get different behavior when connecting directly on the local LAN versus remotely via NAT onto the local LAN. When I uncheck the Security Group rule for ssh, I can connect locally with ssh but not remotely - is this expected iptables behavior? Right now I'm waiting to test again since I know there are some timeouts required for iptables rules to take effect but it's strange that the rule takes immediate effect for remote access but delayed effect or no effect for local LAN access.
EDIT: further testing shows that if I enable my Security Group rule for port 22 but set it to DROP, it blocks local LAN ssh access as expected, however, if I set it back to ACCEPT but uncheck the rule (to disable it), I can still connect on the local LAN with ssh. There seems to be default iptables rules introduced in Proxmox v3.4 to allow administration connections from the local LAN. I just don't have enough iptables experience to read the iptables -L output and understand what the pages of output mean and I cannot figure out how these default rules differentiate between local LAN access versus remote access via NAT.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back