[SOLVED] Firewall problems . . .

TGW

New Member
May 2, 2018
28
0
1
58
I have been reading several information sources on the firewall operation,
though I'm still having the same firewall issues:

package versions:
proxmox-ve: 5.2-2 (running kernel: 4.15.18-1-pve)
pve-manager: 5.2-5 (running version: 5.2-5/eb24855a)
pve-kernel-4.15: 5.2-4
pve-kernel-4.15.18-1-pve: 4.15.18-15
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-35
libpve-guest-common-perl: 2.0-17
libpve-http-server-perl: 2.0-9
libpve-storage-perl: 5.0-24
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 1.0.0-1
proxmox-widget-toolkit: 1.0-19
pve-cluster: 5.0-28
pve-container: 2.0-24
pve-docs: 5.2-4
pve-firewall: 3.0-13
pve-firmware: 2.0-5
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.2-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-29
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.9-pve1~bpo9

Whenever the pve-firewall is enabled (started), I lose access to the PVE GUI.
I do have security group rules created for ports 80, 443, and 8006. The datacenter
firewall is enabled and the node enabled accordingly with those security groups
implemented. On reboot of the node, I cannot access the PVE GUI until I execute
"pve-firewall stop" from a KVM on the remote server.

Current iptables:

root@xxxx:~# iptables -nL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I thought the rules created in Promox (through the GUI) were automatically placed into
the iptables?

What am I doing wrong here???

Thanks in advance . . .
 

TGW

New Member
May 2, 2018
28
0
1
58
Here are the contents of the following files:

cluster.fw

[OPTIONS]

policy_in: DROP
enable: 1
policy_out: ACCEPT

[RULES]

GROUP pve_gui
GROUP ssh_usr

[group pve_gui]

IN Web(ACCEPT)
IN ACCEPT -p tcp -dport 8006 -sport 8006 # Proxmox GUI

[group ssh_usr]

IN ACCEPT -p tcp -dport xxxxx -sport xxxxx

[group web]

IN Web(ACCEPT)



host.fw

[OPTIONS]

nosmurfs: 1
enable: 1
ndp: 0

[RULES]

GROUP pve_gui
GROUP ssh_usr
 

Rhinox

Active Member
Sep 28, 2016
272
38
28
32
IN ACCEPT -p tcp -dport 8006 -sport 8006 # Proxmox GUI
IN ACCEPT -p tcp -dport xxxxx -sport xxxxx

That might be your problem. How do you want to guarantee your web/ssh-client will use 8006 (or "xxxxx") sorce-port? That's virtually impossible.

Source-ports used by web/ssh-clients are random, anything between 1024 and 65k. You might restrict it more tightly (i.e. 10k-65k), but still you do not have full control. So remove those "-sport" options for incomming connections (leave only "-dport"), and you are done...

And as always: do not count on PVE-firewall! It is very "basic", and not designed to act as sole protection of PVE...
 

TGW

New Member
May 2, 2018
28
0
1
58
BAM! That nailed it! Thank you very much as this was EXTREMELY frustrating! Have a great weekend, I know I will, lol! :D

Yes, also using fail2ban and restrictive firewall settings . . .
 
Aug 16, 2019
9
0
6
29
And as always: do not count on PVE-firewall! It is very "basic", and not designed to act as sole protection of PVE...

Why is it "basic"? What other protections would you recommend? Are these for network only or other stuff too (no password only key, no root login, account lockout, etc)

Thank you!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!