ipfilter don't take effect

jmjosebest

Renowned Member
Jan 16, 2009
192
28
93
Hello,

I have a VM configured with 4 IPs

1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4

I want to restrict to use the IP: 4.4.4.4
Then, what I do is go to /etc/pve/firewall/100.fw and remove the line with the IP 4.4.4.4
But don't take effect. The IP 4.4.4.4 is still pinging

Any idea about what is the issue?

Thanks!!!


Code:
root@ns1001:~# cat /etc/pve/nodes/ns1001/host.fw

[OPTIONS]
enable: 1



Code:
root@ns1001:~# cat /etc/pve/firewall/cluster.fw

[OPTIONS]
policy_in: ACCEPT
enable: 1


Code:
root@ns1001:~# cat /etc/pve/firewall/100.fw

[OPTIONS]
enable: 1
macfilter: 0
ipfilter: 1
log_level_in: debug
log_level_out: debug
policy_in: ACCEPT
radv: 1

[IPSET ipfilter-net0]
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
 
did you check the firewall checkbox on the vm nic?
 
I had the same issue though I recall reading that ipfilter will not stop ping due to different layer and conntrack elements. It also doesn't appear to stop inbound by way of the proxmox gui, only out. The GUI does not add inbound rule.

For testing try using telnet instead of ping. Outbound should be blocked from the VM when using ipfilter.
 
For testing try using telnet instead of ping. Outbound should be blocked from the VM when using ipfilter.

If it's a IP filter the protocol should no matter.

Anyway, http requests on port 80 are still processed fine on IP 4.4.4.4. So the filter is not taking any effect.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!