[SOLVED] Firewall problems . . .

[TGW]

I have been reading several information sources on the firewall operation,
though I'm still having the same firewall issues:

package versions:
proxmox-ve: 5.2-2 (running kernel: 4.15.18-1-pve)
pve-manager: 5.2-5 (running version: 5.2-5/eb24855a)
pve-kernel-4.15: 5.2-4
pve-kernel-4.15.18-1-pve: 4.15.18-15
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-35
libpve-guest-common-perl: 2.0-17
libpve-http-server-perl: 2.0-9
libpve-storage-perl: 5.0-24
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 1.0.0-1
proxmox-widget-toolkit: 1.0-19
pve-cluster: 5.0-28
pve-container: 2.0-24
pve-docs: 5.2-4
pve-firewall: 3.0-13
pve-firmware: 2.0-5
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.2-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-29
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.9-pve1~bpo9

Whenever the pve-firewall is enabled (started), I lose access to the PVE GUI.
I do have security group rules created for ports 80, 443, and 8006. The datacenter
firewall is enabled and the node enabled accordingly with those security groups
implemented. On reboot of the node, I cannot access the PVE GUI until I execute
"pve-firewall stop" from a KVM on the remote server.

Current iptables:

root@xxxx:~# iptables -nL

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I thought the rules created in Promox (through the GUI) were automatically placed into
the iptables?

What am I doing wrong here???

Thanks in advance . . .

 

[TGW]

Here are the contents of the following files:

cluster.fw

[OPTIONS]

policy_in: DROP
enable: 1
policy_out: ACCEPT

[RULES]

GROUP pve_gui
GROUP ssh_usr

[group pve_gui]

IN Web(ACCEPT)
IN ACCEPT -p tcp -dport 8006 -sport 8006 # Proxmox GUI

[group ssh_usr]

IN ACCEPT -p tcp -dport xxxxx -sport xxxxx

[group web]

IN Web(ACCEPT)



host.fw

[OPTIONS]

nosmurfs: 1
enable: 1
ndp: 0

[RULES]

GROUP pve_gui
GROUP ssh_usr

 

[Rhinox]

IN ACCEPT -p tcp -dport 8006 -sport 8006 # Proxmox GUI
IN ACCEPT -p tcp -dport xxxxx -sport xxxxx

That might be your problem. How do you want to guarantee your web/ssh-client will use 8006 (or "xxxxx") sorce-port? That's virtually impossible.

Source-ports used by web/ssh-clients are random, anything between 1024 and 65k. You might restrict it more tightly (i.e. 10k-65k), but still you do not have full control. So remove those "-sport" options for incomming connections (leave only "-dport"), and you are done...

And as always: do not count on PVE-firewall! It is very "basic", and not designed to act as sole protection of PVE...

 

[TGW]

BAM! That nailed it! Thank you very much as this was EXTREMELY frustrating! Have a great weekend, I know I will, lol!

Yes, also using fail2ban and restrictive firewall settings . . .

 

[Ciprian Tomoiaga]

And as always: do not count on PVE-firewall! It is very "basic", and not designed to act as sole protection of PVE...

Why is it "basic"? What other protections would you recommend? Are these for network only or other stuff too (no password only key, no root login, account lockout, etc)

Thank you!