Firewall only applied after server reboot

[hvascon]

I have fresh install of proxmox on a single node. It only applies firewall rules (on PVE server itself, VM or LXC) on reboot. (Yes firewall is activated on node, datacenter, VMs etc...)

After restart it is possible to add/remove one rule and it is applied, after that first firewall change, no more changes are applied.

Beside a full proxmox node restart, an other way to solve issue is by doing pve-firewall stop, wait a few minutes and pve-firewall start . No time interval or calling pve-firewall restart does not solve the issue.

I can only assume rules are correct, as they are correctly applied. Firewall service log have no error or what so ever. Some with any idea of what could be wrong or software bug?

Instalation info:

root@pve:~# pveversion -v
proxmox-ve: 7.3-1 (running kernel: 5.15.85-1-pve)
pve-manager: 7.3-6 (running version: 7.3-6/723bb6ec)
pve-kernel-helper: 7.3-4
pve-kernel-5.15: 7.3-2
pve-kernel-5.15.85-1-pve: 5.15.85-1
pve-kernel-5.15.74-1-pve: 5.15.74-1
ceph-fuse: 15.2.17-pve1
corosync: 3.1.7-pve1
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.24-pve2
libproxmox-acme-perl: 1.4.3
libproxmox-backup-qemu0: 1.3.1-1
libpve-access-control: 7.3-1
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.3-2
libpve-guest-common-perl: 4.2-3
libpve-http-server-perl: 4.1-5
libpve-storage-perl: 7.3-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 5.0.2-1
lxcfs: 5.0.3-pve1
novnc-pve: 1.3.0-3
proxmox-backup-client: 2.3.3-1
proxmox-backup-file-restore: 2.3.3-1
proxmox-mail-forward: 0.1.1-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.5.5
pve-cluster: 7.3-2
pve-container: 4.4-2
pve-docs: 7.3-1
pve-edk2-firmware: 3.20220526-1
pve-firewall: 4.2-7
pve-firmware: 3.6-3
pve-ha-manager: 3.5.1
pve-i18n: 2.8-2
pve-qemu-kvm: 7.1.0-4
pve-xtermjs: 4.16.0-1
qemu-server: 7.3-3
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.8.0~bpo11+2
vncterm: 1.7-1
zfsutils-linux: 2.1.9-pve1

 

[nunner]

Hi,

do your new rules also not show up in pve-firewall compile? Please also post the specific rules that you are trying to create.

 

[hvascon]

Hi,

I am using the ping macro for instance. By adding removing rule on datacenter or specific vm for instance:


Datacenter firewall is configured to DROP all by default.

For instance I just:
1. added Ping accept rule on Datacenter; VM could not be pinged.
2. I added the same rule on VM; then VM could be pinged.
3. Then removed the rule on the VM only, and it continued pinging as originally expected in step 1.
4. Remove the rule on Datacenter. I can still ping both VM and Node. Not expected.
5. pve-firewall restart. Can still ping both the node and the VM.
6. Reboot node. And now could not ping node nor VM, as expected.

(i did wait time between each operation).

The output of pve-firewall compile | grep "icmp " after step 1 and 3 are exactly the same:

        -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-HOST-IN -p icmp -m icmp --icmp-type echo-request -j RETURN
        -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-reject -p icmp -j DROP
        -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable

The output of pve-firewall compile | grep "icmp " after step 5 and 6 are the same:

        -A PVEFW-Drop -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Drop -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type fragmentation-needed -j ACCEPT
        -A PVEFW-Reject -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
        -A PVEFW-reject -p icmp -j DROP
        -A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable