IPv4 Firewall not working - what am I missing?

[jernej-isl]

Hello all!
I am using Proxmox since v3 but have not used its Firewall yet. For now I just want to restrict access to my Proxmox node not my VMs. I have enabled firewall in datacenter (with ACCEPT for input and output policy) and on the node itself. Then I have put in a simple rule to drop icmp packets. However when I ping the host I still get response. What am I missing here?

root@sproxmox:/etc/pve/firewall# cat cluster.fw
[OPTIONS]

enable: 1
policy_in: ACCEPT


root@proxmox:/etc/pve/nodes/proxmox# cat host.fw
[OPTIONS]

enable: 1

[RULES]

IN DROP -p icmp -log nolog

 

[jernej-isl]

I think I found the reason. When I checked the status with systemctl status pve-firewall.service I found some error lines like:

Oct 22 08:54:23 proxmox pve-firewall[2360518]: status update error: iptables_restore_cmdlist: Try `iptables-res

 

[shanreich]

Do you have ipv6 disabled?

 

[jernej-isl]

I am using IPv4, but did not disable IPv6.

 

[shanreich]

Can you then post the whole output of the journal?

journalctl -b -u pve-firewall > pve-firewall.txt

 

[jernej-isl]

Here is the file. Thank you for help Shanreich!

 

[shanreich]

Can you post the output of:

pve-firewall compile
iptables-save

 

[jernej-isl]

Hello Stefan. Output is in the attached files. I think the main problem was a typo in host.fw (I tried to prepare and deploy file to server with ansible). That typo consequently caused configuration error and firewall didn't start..... so no wonder my testing didn't work as expected
Thank you for your help!