ipfilter don't take effect

[jmjosebest]

Hello,

I have a VM configured with 4 IPs

1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4

I want to restrict to use the IP: 4.4.4.4
Then, what I do is go to /etc/pve/firewall/100.fw and remove the line with the IP 4.4.4.4
But don't take effect. The IP 4.4.4.4 is still pinging

Any idea about what is the issue?

Thanks!!!

root@ns1001:~# cat /etc/pve/nodes/ns1001/host.fw

[OPTIONS]
enable: 1

root@ns1001:~# cat /etc/pve/firewall/cluster.fw

[OPTIONS]
policy_in: ACCEPT
enable: 1

root@ns1001:~# cat /etc/pve/firewall/100.fw

[OPTIONS]
enable: 1
macfilter: 0
ipfilter: 1
log_level_in: debug
log_level_out: debug
policy_in: ACCEPT
radv: 1

[IPSET ipfilter-net0]
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4

 

[dcsapak]

did you check the firewall checkbox on the vm nic?

 

[poxin]

I had the same issue though I recall reading that ipfilter will not stop ping due to different layer and conntrack elements. It also doesn't appear to stop inbound by way of the proxmox gui, only out. The GUI does not add inbound rule.

For testing try using telnet instead of ping. Outbound should be blocked from the VM when using ipfilter.

 

[jmjosebest]

did you check the firewall checkbox on the vm nic?

Yes:

root@ns1001:~# cat /etc/pve/qemu-server/100.conf | grep net
net0: virtio=52:B8:6D:6D:21:59,bridge=vmbr0,firewall=1

 

[jmjosebest]

For testing try using telnet instead of ping. Outbound should be blocked from the VM when using ipfilter.

If it's a IP filter the protocol should no matter.

Anyway, http requests on port 80 are still processed fine on IP 4.4.4.4. So the filter is not taking any effect.

 

[sonuyos]

Was this ever solved? facing same issue.