[SOLVED] Firewall problems . . .


New Member
May 2, 2018
I have been reading several information sources on the firewall operation,
though I'm still having the same firewall issues:

package versions:
proxmox-ve: 5.2-2 (running kernel: 4.15.18-1-pve)
pve-manager: 5.2-5 (running version: 5.2-5/eb24855a)
pve-kernel-4.15: 5.2-4
pve-kernel-4.15.18-1-pve: 4.15.18-15
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-35
libpve-guest-common-perl: 2.0-17
libpve-http-server-perl: 2.0-9
libpve-storage-perl: 5.0-24
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 1.0.0-1
proxmox-widget-toolkit: 1.0-19
pve-cluster: 5.0-28
pve-container: 2.0-24
pve-docs: 5.2-4
pve-firewall: 3.0-13
pve-firmware: 2.0-5
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.2-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-29
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.9-pve1~bpo9

Whenever the pve-firewall is enabled (started), I lose access to the PVE GUI.
I do have security group rules created for ports 80, 443, and 8006. The datacenter
firewall is enabled and the node enabled accordingly with those security groups
implemented. On reboot of the node, I cannot access the PVE GUI until I execute
"pve-firewall stop" from a KVM on the remote server.

Current iptables:

root@xxxx:~# iptables -nL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I thought the rules created in Promox (through the GUI) were automatically placed into
the iptables?

What am I doing wrong here???

Thanks in advance . . .
Here are the contents of the following files:



policy_in: DROP
enable: 1
policy_out: ACCEPT


GROUP pve_gui
GROUP ssh_usr

[group pve_gui]

IN ACCEPT -p tcp -dport 8006 -sport 8006 # Proxmox GUI

[group ssh_usr]

IN ACCEPT -p tcp -dport xxxxx -sport xxxxx

[group web]




nosmurfs: 1
enable: 1
ndp: 0


GROUP pve_gui
GROUP ssh_usr
IN ACCEPT -p tcp -dport 8006 -sport 8006 # Proxmox GUI
IN ACCEPT -p tcp -dport xxxxx -sport xxxxx

That might be your problem. How do you want to guarantee your web/ssh-client will use 8006 (or "xxxxx") sorce-port? That's virtually impossible.

Source-ports used by web/ssh-clients are random, anything between 1024 and 65k. You might restrict it more tightly (i.e. 10k-65k), but still you do not have full control. So remove those "-sport" options for incomming connections (leave only "-dport"), and you are done...

And as always: do not count on PVE-firewall! It is very "basic", and not designed to act as sole protection of PVE...
BAM! That nailed it! Thank you very much as this was EXTREMELY frustrating! Have a great weekend, I know I will, lol! :D

Yes, also using fail2ban and restrictive firewall settings . . .
And as always: do not count on PVE-firewall! It is very "basic", and not designed to act as sole protection of PVE...

Why is it "basic"? What other protections would you recommend? Are these for network only or other stuff too (no password only key, no root login, account lockout, etc)

Thank you!


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!