Filip-Woj

New Member
Sep 7, 2022
1
0
1
Hello,

When the Firewall is set on default Input Policy DROP on Datacenter level, and the Firewall is enable, it does not work at all.
The server is not filtered and is fully open, just like by ACCEPT. I can easily access it from different PC, without said PC being in rules or Security Group.

What could by the issue with the Firewall or Proxmox?
 
My firewall started behaving the same way as described, except in my case the 'input policy' is set as REJECT in the datacenter level.
The firewall is not rejecting connections unless I explicitly add a rule to reject a particular IP.
In addition to reading `/var/log/pve-firewall.log`, how do we debug this issue?
 
@Dunuin thank you for pointing to that piece of documentation!
The relevant part is that the firewall allows traffic from the "management hosts".
Then, reading further I learned there is a standard IPSet called "management", which automatically adds the cluster network to the allowed IP range.

I've tried to edit this IP set on `/etc/pve/firewall/cluster.fw`, but it keeps adding the cluster network to the IPSet. What is the proper way to restrict access to a list of selected IPs?

I also don't like the idea of the whole network being part of the management hosts. How do I remove the network from this list?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!