firewall not working on vm with firewall=1 on nic and fw on in firewall -> options

[mathx]

Set "firewall on" on in the vm Firewall -> Options tab, and in Hardware -> NIC, and restarted VM. no go. dont see any rules in iptables -L or iptables-save. I do see rules in /etc/pve/firewall/100.fw. Pve-firewall stop && start doesnt work however.

running pve-manager/3.4-6/102d4547 (running kernel: 2.6.32-39-pve)

hints?

(furthermore, manually adding rules to iptables doenst seem to work either, neither in forward or input/output chains, am i missing something about the VM networking model? does the bridge bypass the host? the rules arent interface specific.)

 

[wolfgang]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

Do you have also ther firewall turned on in DC and Node?

see https://pve.proxmox.com/wiki/Proxmox_VE_Firewall#Enabling_firewall_for_qemu_guest_and_openvz_veth

 

[mathx]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

Thanks!! Wow that's buried. Didnt think to look there. Esp when you hit the Firewall tab and it shows an empty list, and the tabs are at bottom (not anywhere near the top where Im clicking on my giant monitor ) - 2nd row of tabs would be more obvious for sub options.What's the diff between the *3* levels of firewalling, conceptually?

 

[mathx]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

uh turning on the firewall blocks :8006 webconsole?

 

[dietmar]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

uh turning on the firewall blocks :8006 webconsole?

local network is allowed, but remote access is blocked.

 

[Ovidiu]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

uh turning on the firewall blocks :8006 webconsole?

Just had the same experience - locked myself out. Now I need to find out where the config files sit, restart my remote proxmoxVE from a rescue console.
Great learning curve This really should become part of the wiki => https://pve.proxmox.com/wiki/Proxmox_VE_Firewall

 

[JBB]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

Yes, the firewall config is super confusing, and the wiki hardly helps because there are in fact three places in which the firewall can be enabled, so saying things like "enable the firewall" is misleading without saying where need to enable it. Get it wrong and you're locked out.

At very least, the wiki page should say "Do not enable the firewall at the node (top) level without setting the default rules to ACCEPT first. Doing so will lock you out!"

 

[tom]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

Yes, the firewall config is super confusing, and the wiki hardly helps because there are in fact three places in which the firewall can be enabled, so saying things like "enable the firewall" is misleading without saying where need to enable it. Get it wrong and you're locked out.

At very least, the wiki page should say "Do not enable the firewall at the node (top) level without setting the default rules to ACCEPT first. Doing so will lock you out!"

You can improve the wiki, just register yourself and add your content.

We try to make the firewall easy, but yes, in the first run its not that easy to get into it as there are multiple levels and places. But this makes it distributed and super flexible and after you got it into your brain, you will love it. At least, this was my personal experience with the firewall.

 

[Ovidiu]

Re: firewall not working on vm with firewall=1 on nic and fw on in firewall -> option

I am about to open my own thread with all my firewall related questions. If I get replies and figure it out, I will update the wiki.