Hello,
I have a strange firewall related issue and found a solution which consists in deleting one iptables rule that is placed in chain PVEFW-FORWARD.
The problem this rule causes is that it prevents two VMs running on the very same host to some degree from talking to one another with activated pve cluster firewall. This does not happen when the two VMs are running on different hosts, it only does happen when both are on the very same pve host and only when the firewall is active. Deactivating the firewall solves the problem and migrating the two VMs to different servers also solves the problem. This problem was first observed when trying to access a svn server running in a VM from another VM which did not work. It turned out that this works just fine if both VMs are on different pve servers but does not work if they are on the very same with activated firewall. The symptoms when the two VMs (say vm1 and vm2) run on the same host are as follows:
If I remove rule number 1 from this chain everything just works with activated firewall. This rules seems to be automatically inserted by pve-filerewall in some way and it seems to me that I do not have a default way to avoid this rule eg in the gui where the clusterfirewall can be managed.
Is there any "clean" way to automatically run a iptables -D command for this rule whenever the cluster wide firewall has been started?
Any ideas how to do this?
I have a strange firewall related issue and found a solution which consists in deleting one iptables rule that is placed in chain PVEFW-FORWARD.
The problem this rule causes is that it prevents two VMs running on the very same host to some degree from talking to one another with activated pve cluster firewall. This does not happen when the two VMs are running on different hosts, it only does happen when both are on the very same pve host and only when the firewall is active. Deactivating the firewall solves the problem and migrating the two VMs to different servers also solves the problem. This problem was first observed when trying to access a svn server running in a VM from another VM which did not work. It turned out that this works just fine if both VMs are on different pve servers but does not work if they are on the very same with activated firewall. The symptoms when the two VMs (say vm1 and vm2) run on the same host are as follows:
- a telnet from vm2 to vm1 is possible and I get a successful connect
- running a ping from vm2 to vm1 just works fine
- trying to run a svn checkout on vm2 from a svn server running on vm1 on port 443 simply hangs
- running a netcat client on vm2 to a netcat server on vm1 hangs (tried different ports for client and server)
Code:
root:/etc/network# iptables -L PVEFW-FORWARD --line-numbers
Chain PVEFW-FORWARD (1 references)
num target prot opt source destination
1 DROP all -- anywhere anywhere ctstate INVALID
2 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
3 PVEFW-FWBR-IN all -- anywhere anywhere PHYSDEV match --physdev-in fwln+ --physdev-is-bridged
4 PVEFW-FWBR-OUT all -- anywhere anywhere PHYSDEV match --physdev-out fwln+ --physdev-is-bridged
5 all -- anywhere anywhere /* PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw */If I remove rule number 1 from this chain everything just works with activated firewall. This rules seems to be automatically inserted by pve-filerewall in some way and it seems to me that I do not have a default way to avoid this rule eg in the gui where the clusterfirewall can be managed.
Is there any "clean" way to automatically run a iptables -D command for this rule whenever the cluster wide firewall has been started?
Any ideas how to do this?