Firewall not working followed tutorial...

[Aron Dijkstra]

Hi,

I activated the firewall on the datacenter level, set input on accept, enabled it on the Node level (no config) and enabled the firewall on the network of the VM. I created a rule (input, drop and enabled) and enabled the firewall. but still the whole node is reachable on the net.

I tested if firewalling was enabled (console: pve-firewall status) it told me that it was enabled and running.

What am i dooing wrong?

Aron

 

[wolfgang]

Hi,

have you also checked the firewall checkbox on the nic?

 

[Aron Dijkstra]

Hi,

Yes, also the NIC of the VM has Firewall enabled. I even restarted the VM to see if that makes any diffrence.
I looked at the iptables and see a whole lot of rules.

Aron

 

[wolfgang]

can you send the following files?
/etc/pve/qemu-server/<VMID>.conf
/etc/pve/nodes/<nodename>/host.fw
/etc/pve/firewall/<vmid>.fw

 

[Aron Dijkstra]

Spoiler: 101.conf

bootdisk: virtio0
cores: 1
ide2: none,media=cdrom
memory: 8192
name: testbak
net0: virtio=82:71:6F:4C:1C:C1,bridge=vmbr0,firewall=1,tag=1103
numa: 0
ostype: l26
smbios1: uuid=b824a47f-273c-435a-a8b2-3dc30260af0f
sockets: 1
virtio0: images:101/vm-101-disk-1.qcow2,size=80G

there is no host.fw only: lrm_status lxc openvz priv pve-ssl.key pve-ssl.pem qemu-server
But i just verified, the Firewall is enabled on the host. I only did not make any drop or forward configuration here.

Spoiler: 101.fw

[OPTIONS]

ipfilter: 1
enable: 1

[RULES]

IN DROP

 

[Aron Dijkstra]

I disabled the firewall on the node. and reactivated it. After that i could see the node FW configuration.

[OPTIONS]

enable: 1

But it still does not work

 

[wolfgang]

You have no rules in your VM Firewall conf.
What rules do you apply and where do you do this?
what is in the cluster.fw
/etc/pve/firewall/cluster.fw

 

[Aron Dijkstra]

Yes i have a rule in my VM config.
IN DROP it is also included in the 101.fw as described above. I'm making a test to block everything. So i know everything works.

I did make the changes at the web GUI.

Cluster.fw:
[OPTIONS]

policy_in: ACCEPT
enable: 1

[RULES]

IN ACCEPT -p tcp -dport 22
IN ACCEPT -p tcp -dport 8006

 

[wolfgang]

I missed this with DROP.
how do you test?
Because a connection what is established will stay open.

 

[Aron Dijkstra]

I came into the office now.
Before testing i checked the Input drop.
Started a ping. and no reply, after that i disabled the input drop. still no reply even after 4 minuts no reply.

 

[Aron Dijkstra]

Nobody an idea?