How to disable PVE firewall after lock-out (Datacenter level firewall)

rsmvdl

Member
Jul 15, 2016
32
5
13
32
Hello,

i have a small pve cluster in place and have a misconfigured firewall so that i cannot access my hosts anymore (lock-out scenario).
I can only boot onto the rescue mode of hetzner and access my hardisk to change things but it seems that many things have changed since pve 6 and i dont know how to disable the firewall which is at datacenter level (pve datacenter)
Can please smb help me out on who i can disable the Firewall?

systemctl disable pve-firewall.service does not seem to help here.

Kind regards

P.S. Könnt auch gerne auf Deutsch schreiben, dachte so erreiche ich vllt. mehr Publikum
 
Last edited:
  • Like
Reactions: ardiankaryp
(temporarily) masking the pve-firewall service should do the trick. don't forget to unmask it again afterwards ;) pve-firewall.service is wanted by pve-guests.service, so it gets started on boot even if not enabled on its own.
 
So in general i should do:

systemctl disable pve-firewall.service
ln -s /dev/null /etc/systemd/system/pve-firewall.service
systemctl unmask pve-firewall.service

Please correct me here if im wrong?!
 
chrooting and then doing:
Code:
systemctl disable pve-firewall
systemctl mask pve-firewall

should do the trick. then after rebooting and fixing your config,
Code:
systemctl unmask pve-firewall
systemctl enable pve-firewall
systemctl start pve-firewall

should return to the defaults again.
 
Just deleted my last post i did a mistake. Now it works again... puuh many thx for your time :D
 
Sorry for bumping this old thread.

How can I disable the datacenter level firewall from rescue mode.
 
chrooting and then doing:
Code:
systemctl disable pve-firewall
systemctl mask pve-firewall

should do the trick. then after rebooting and fixing your config,
Code:
systemctl unmask pve-firewall
systemctl enable pve-firewall
systemctl start pve-firewall

should return to the defaults again.
 
@Leon Gaultier

I had to reboot on rescue mode. I so that didnot work.

This worked for me.It's same butt in rescue mode I was unable to use pve services

Code:
#mnt with rescue
#https://vmbs.uk/t/how-to-use-rescue-mode-firewall-locked-out-in-proxmox/43

lvdisplay
mount /dev/vg0/root /mnt


chroot /mnt/                 #must or wont work.  You can now run commands on your server in Rescue Mode.

ln -s /dev/null /etc/systemd/system/pve-firewall.service.    #You can mask the service what prevent it from starting.

reboot

#ping server, ssh into it , fix issue and unlink
unlink /etc/systemd/system/pve-firewall.service
#or
systemctl unmask pve-firewall.service

v4RZzBY.png
 
Last edited:
I just wanted show my appreciate for this post and thank you for all who contributed. I, like an idiot enabled the firewall on the datacenter and locked myself out. I love how a search for the solution can take less than five minutes.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!