How to disable PVE firewall after lock-out (Datacenter level firewall)

R

rsmvdl

Member
Jul 15, 2016
32
6
13
32
Hello,

i have a small pve cluster in place and have a misconfigured firewall so that i cannot access my hosts anymore (lock-out scenario).
I can only boot onto the rescue mode of hetzner and access my hardisk to change things but it seems that many things have changed since pve 6 and i dont know how to disable the firewall which is at datacenter level (pve datacenter)
Can please smb help me out on who i can disable the Firewall?

systemctl disable pve-firewall.service does not seem to help here.

Kind regards

P.S. Könnt auch gerne auf Deutsch schreiben, dachte so erreiche ich vllt. mehr Publikum
 
Last edited:
  • Like
Reactions: ardiankaryp
(temporarily) masking the pve-firewall service should do the trick. don't forget to unmask it again afterwards ;) pve-firewall.service is wanted by pve-guests.service, so it gets started on boot even if not enabled on its own.
 
So in general i should do:

systemctl disable pve-firewall.service
ln -s /dev/null /etc/systemd/system/pve-firewall.service
systemctl unmask pve-firewall.service

Please correct me here if im wrong?!
 
chrooting and then doing:
Code: 
systemctl disable pve-firewall
systemctl mask pve-firewall

should do the trick. then after rebooting and fixing your config,
Code: 
systemctl unmask pve-firewall
systemctl enable pve-firewall
systemctl start pve-firewall

should return to the defaults again.
 
  • Like
Reactions: kos, TheTomik, ardiankaryp and 2 others
Just deleted my last post i did a mistake. Now it works again... puuh many thx for your time :D
 
Sorry for bumping this old thread.

How can I disable the datacenter level firewall from rescue mode.
 
fabian said:
chrooting and then doing:
Code: 
systemctl disable pve-firewall
systemctl mask pve-firewall

should do the trick. then after rebooting and fixing your config,
Code: 
systemctl unmask pve-firewall
systemctl enable pve-firewall
systemctl start pve-firewall

should return to the defaults again.
Click to expand...
 
@Leon Gaultier

I had to reboot on rescue mode. I so that didnot work.

This worked for me.It's same butt in rescue mode I was unable to use pve services

Code: 
#mnt with rescue
#https://vmbs.uk/t/how-to-use-rescue-mode-firewall-locked-out-in-proxmox/43

lvdisplay
mount /dev/vg0/root /mnt


chroot /mnt/                 #must or wont work.  You can now run commands on your server in Rescue Mode.

ln -s /dev/null /etc/systemd/system/pve-firewall.service.    #You can mask the service what prevent it from starting.

reboot

#ping server, ssh into it , fix issue and unlink
unlink /etc/systemd/system/pve-firewall.service
#or
systemctl unmask pve-firewall.service

v4RZzBY.png
 
Last edited:
  • Like
Reactions: tboston, popescuaandrei and CoolTux
I just wanted show my appreciate for this post and thank you for all who contributed. I, like an idiot enabled the firewall on the datacenter and locked myself out. I love how a search for the solution can take less than five minutes.
 
You must log in or register to reply here.
Top Bottom