Firewall issues

[Dimitar Yanakiev]

Hello,
I have few issues with the proxmox firewall, i use latest proxmox 5.2-1.
I have enabled datacenter firewall
Input policy is DROP
Then i have three other rules to allow ssh,8006 and reject ping.
The problem is that yougetsignal.com/tools/open-ports says that all the ports are open when they are not, how can i solve this issue?

Another thing is that after i change firewall for a container i need to reboot the container in order the rule to apply is this normal?

I attached proxmox report.

Thanks.

 

[JBB]

This appears to be a similar issue to mine (although I'm using an older version of PVE).

When you say "yougetsignal.com/tools/open-ports says that all the ports are open" do you mean open on the guest(s) or the host itself? I note that with me, ports are coming up (correctly) as "filtered" when I scan the host, but not the guests. So something is working, but not at the guest level.

One thing that's slightly odd is the node level. The docs say host related configuration is read from: /etc/pve/nodes/<nodename>/host.fw. But I don't have that file on my system. Do you?

Also, possibly in relation to your question about rebooting containers, the docs say:

The firewall requires a special network device setup, so you need to restart the VM/container after enabling the firewall on a network interface.

But that appears to be only when you first enable the firewall on a network device. I wonder what it means by "a special network device setup" though?