[SOLVED] i have install Configserver Firewall on PVE 7.1.10 need help with ports TCP UDP ?

Spirog

Member
Jan 31, 2022
230
49
18
Chicago, IL
Hello and thanks in advance for your help/

I have installed CSF Configserver firewall script to my server

Debian 11
PVE 7.1.10 Proxmox
Code:
proxmox-ve: 7.1-1 (running kernel: 5.13.19-4-pve)
pve-manager: 7.1-10 (running version: 7.1-10/6ddebafe)
pve-kernel-helper: 7.1-12
pve-kernel-5.13: 7.1-7
pve-kernel-5.4: 6.4-11
pve-kernel-5.13.19-4-pve: 5.13.19-9
pve-kernel-5.13.19-3-pve: 5.13.19-7
pve-kernel-5.13.19-2-pve: 5.13.19-4
pve-kernel-5.4.157-1-pve: 5.4.157-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 15.2.15-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown: 0.8.36+pve1
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.1
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-6
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-3
libpve-guest-common-perl: 4.1-1
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.1-1
libqb0: 1.0.5-1
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.11-1
lxcfs: 4.0.11-pve1
novnc-pve: 1.3.0-2
proxmox-backup-client: 2.1.5-1
proxmox-backup-file-restore: 2.1.5-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-6
pve-cluster: 7.1-3
pve-container: 4.1-4
pve-docs: 7.1-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.3-5
pve-ha-manager: 3.3-3
pve-i18n: 2.6-2
pve-qemu-kvm: 6.1.1-2
pve-xtermjs: 4.16.0-1
qemu-server: 7.1-4
smartmontools: 7.2-pve2
spiceterm: 3.2-2
swtpm: 0.7.0~rc1+2
vncterm: 1.7-1
zfsutils-linux: 2.1.2-pve1



- I have a question on incoming/Outgoing TCP and UDP ports

I need to know what ports from Proxmox go in those ports for TCP_in TCP_out UDP_in UDP_out

and where do I need to add them for Proxmox to work correctly?
So I do not get locked out of webgui 8006 and Proxmox and all my VM's will work.

- I only use noVNC while in PVE Manager in webgui so not sure if there is anything I need to add for that?


if anyone can help me as I am new to Proxmox and a newbie in general.

I don't really understand the difference between in and out.
so not sure where to add port 8006 and any other ports that needs to be configured for Proxmox to work correctly

- I have 3 vm's running 2 test and 1 production.

I found some link on "Proxmox Firewall wiki" that says somethings about certain ports, but I am lost as a newbie,

"if someone can show me once and I learn fast "


here is the ports i found on the wiki

Code:
Datacenter incoming/outgoing DROP/REJECT
If the input or output policy for the firewall is set to DROP or REJECT, the following traffic is still allowed for all Proxmox VE hosts in the cluster:

traffic over the loopback interface

already established connections

traffic using the IGMP protocol

TCP traffic from management hosts to port 8006 in order to allow access to the web interface

TCP traffic from management hosts to the port range 5900 to 5999 allowing traffic for the VNC web console

TCP traffic from management hosts to port 3128 for connections to the SPICE proxy

TCP traffic from management hosts to port 22 to allow ssh access

UDP traffic in the cluster network to port 5404 and 5405 for corosync

UDP multicast traffic in the cluster network

ICMP traffic type 3 (Destination Unreachable), 4 (congestion control) or 11 (Time Exceeded)

The following traffic is dropped, but not logged even with logging enabled:

TCP connections with invalid connection state

Broadcast, multicast and anycast traffic not related to corosync, i.e., not coming through port 5404 or 5405

TCP traffic to port 43

UDP traffic to ports 135 and 445

UDP traffic to the port range 137 to 139

UDP traffic form source port 137 to port range 1024 to 65535

UDP traffic to port 1900

TCP traffic to port 135, 139 and 445

UDP traffic originating from source port 53
.
--------------------------------------------------------------------------------------------------------------------------

and here is MY Script "CSF Configserver Firewall" information below,

need to know where to add the ports and what Proxmox Ports to add below.

this is the default ports after fresh install. I have this oof for now just incase I got locked out.
so before I turn it on, I need to add certain Proxmox ports

- but not sure which ones I need to add and where they go?

- also not sure if all the other ports below need to be there?


TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995"

Add your required outgoing TCP ports in the following line:

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,587,993,995"

Add your required incoming UDP open ports in the following line:

# Allow incoming UDP ports
UDP_IN = "20,21,53,80,443"

Add your required outgoing UDP ports in the following line:

# Allow outgoing UDP ports
UDP_OUT = "20,21,53,113,123"

Save and close the file then reload the CSF firewall to apply the changes:

csf -r


Thank you so much again for your time!

Kind Regards

Spiro
 
Last edited:
I am familiar with Configserver cause I use it in all my cPanel vm's. and other VPS servers that I have with cPanel, so its just easier for me to setup.
in cPanel when CSF Configserver is installed it automatically adds the ports. so it automatic. in Proxmox it does not.

as I mentioned I am a newbie to Proxmox and it looks a little overwhelming to setup your firewall. the CSF firewall has alot of options Country block and many other features you set in the conf file by turning them on or off,

is there any information anywhere to tell me what ports I need to add tcp_in, tcp_out and udp_in, udp_out for Proxmox to work please?
 
I see this section but not sure if this is correct for version 7.1.10 with Debian 11
https://pve.proxmox.com/wiki/Ports

Proxmox VE 4.x and later port list​

  • Web interface: 8006
  • pvedaemon (listens only on 127.0.0.1): 85
  • SPICE proxy: 3128
  • sshd (used for cluster actions): 22
  • rpcbind: 111
  • corosync multicast (if you run a cluster): 5404, 5405 UDP I do not have a cluster single install on one server only.
not sure if this would be correct ports and where they would be added in the section i pointed to above in my post

tcp_in or out udp_in or out

Thank you so much for any direction

Kind Regards
Spiro
 
Last edited:
ok I got it to work. only added
  • Web interface: 8006
there was no issues. installed and turned it on.
had to start CSF and LFD via command line. then just restart
Code:
csf -ra
-ra stands for = Restart All

and all is good working and blocking as expected.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!