Is PVE-Firewall required?

[jpop]

Hello All,

We have tried and failed to manage our firewall under Proxmox. We cannot use Proxmox's implementation of a firewall because quite frankly it is junk and overly confusing. When we try to install and use a firewall manager separate from Proxmox to try and take control of our node firewall we run into chain collision where effectively there are two tables. The logs show every rule being first Accepted followed immediately by a Drop. Also known as a broken firewall.

So if we really wish to move to manage our firewall with something like vuurmuur or shorewall, could someone please step by step detail which PVE services need to be disabled, and how to properly disable them? I don't want them getting re-enabled/restarted by the system at a later date.

In return for help answering my question, I will craft a complete step by step guide for implementing this type of firewall management without impacting other Proxmox functionality.

Regards,
Jeff

 

[ph0x]

I don't think that this is a supported use case.
You could, however, set up a completely exposed VM as default gateway and run the firewall inside it.

 

[spirit]

pve-firewall generated rules when it's enabled at datacenter level.

so you can stop the service or don't enable it at datacenter level.

 

[jpop]

Clearly neither of you have actually tried this and are just guessing.

Simply stopping the service in the GUI doesn't actually stop the underlying services. Bottom line, the firewall implementation sucks and gets in the way of trying to secure my nodes. There is zero enterprise quality documentation right now for the firewall and what can be found on the net is super basic.

I just don't understand how Proxmox expects us to truly secure our nodes and virtual machines/containers with the firewall they've given us.

 

[UdoB]

Well..., disabling the Paketfilter (aka "Firewall") should work. I've disabled it in the Datacenter. (I do run a router as a VM. This avoids messing around on the host in an unsupported way.)

And while it is set to "Yes" on an example host (with zero rules), this hosts tells me:

~# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

...so there is simply nothing configured

Maybe stopping the service does no clean up and does not remove some "stop"-rules. Perhaps a reboot may help. For testing things like this one wants to have a non-productive test-system...

Best regards

 

[Neobin]

Clearly neither of you have actually tried this and are just guessing.

I would say, @spirit absolutely knows what he is talking about, as the main developer of the SDN-feature [1] in Proxmox.

Without wanting to offend you, but while reading your last thread [2], maybe the problem is not on the Proxmox-side.

[1] https://forum.proxmox.com/threads/proxmox-7-0-sdn-beta-test.69655
[2] https://forum.proxmox.com/threads/lvm-storage-accidentally-deleted.114339

 

[ph0x]

If ranting around and insulting other users who offer solutions is your way of trying to get help then I wish you good luck in the future. Get your sh*t solved on your own, then.

 

[jpop]

Hey look, I only opened this post as a last ditch effort after already doing everything you suggested I try. Simply stopping the service at the Datacenter level *Does Not* stop the underlying services in the Debian operating system. We tried, it doesn't work because the Proxmox Firewall interferes with everything we do. I'm not apologizing for telling the truth, if you are offended, then you don't have to respond.

As I explained in the original post, when we attempted to use Vuurmuur to manage the underlying iptables, Proxmox, even with services stopped in the GUI, would interfere by enforcing the default DROP on the INPUT chain. So this is most definitely a Proxmox issue!

We should be able to virtualize things without this kind of interference at the firewall level. That interference actually makes systems less secure. We should be able to turn off the firewall and it actually be turned off.

 

[Docop2]

Can we know why you want to put a full server plug over internet ? Any basic structure imply to have a firewall dedicated, not a full server plug over the net. Simply buy a dedicated firewall or do a vm and assign/pass a network card to it. Proxmox is not a firewall same goes to esxi. But as open, any can put code to it.

 

[jpop]

Can we know why you want to put a full server plug over internet ? Any basic structure imply to have a firewall dedicated, not a full server plug over the net. Simply buy a dedicated firewall or do a vm and assign/pass a network card to it. Proxmox is not a firewall same goes to esxi. But as open, any can put code to it.

Proxmox is not a firewall, yes I am aware. If Proxmox were truly an ESXi alternative, then there would be no firewall at all. If Proxmox was not meant to be run on servers hosted in datacenters with direct connections to the internet, then there would be no firewall. Proxmox is structured with the datacenter in its design, you can see it right there in the tree.

You must not have experience in hosted environments, because you don't just put a dedicated firewall in front of hosted servers because most private server companies do not allow customer access to the datacenter.

Are you are suggesting that I write code to add functionality to Proxmox? Seriously? Anyways.

The current implementation of the PVE Firewall is lacking severely, which makes the servers less secure. The fact that you have to write rules multiple times is ludicrous. We should be able to disable the PVE firewall completely in favor of managing things via iptables directly or via a manager like Vuurmuur or Shorewall.

 

[Neobin]

Did you not test PVE before choosing it?
If a for you important function (and maybe even an exclusion criterion) does not fit you, why did you choose PVE in the first place?

 

[jpop]

Did you not test PVE before choosing it?
If a for you important function (and maybe even an exclusion criterion) does not fit you, why did you choose PVE in the first place?

Why don't you show me in the documentation where it says the firewall can or cannot be disabled? Nevermind, you can't do this, because that documentation does not exist.

We chose PVE because of everything else it can do. The thought was that we could manage our own firewall simply by disabling the PVE firewall services.

Due to some unknown / hidden dependency the PVE Firewall can be disabled and running at the same time:

 

[fabian]

there are two "levels" of disabling the pve-firewall, which should both allow to setup another firewall management tool without interference.
- config level (resulting in disabled, but running => no tables will be changed, no conflict should arise)
- service level (resulting in not running at all => obviously no tables will be changed either, no conflict should arise)

since you didn't give any relevant output at all (like the version you've installed, the firewall config files on the PVE side, iptables-/..-save output, errors you encounter), it's hard to tell where the problem arises.

 

[jpop]

there are two "levels" of disabling the pve-firewall, which should both allow to setup another firewall management tool without interference.
- config level (resulting in disabled, but running => no tables will be changed, no conflict should arise)
- service level (resulting in not running at all => obviously no tables will be changed either, no conflict should arise)

since you didn't give any relevant output at all (like the version you've installed, the firewall config files on the PVE side, iptables-/..-save output, errors you encounter), it's hard to tell where the problem arises.

We are running 7.2, whatever the latest is. I think we already tried service level, using systemd to disable the service, and even going so far as to modify pve-manager.service so that pve-firewall was removed as a dependency. Somehow, some way, the pve firewall was still interfering. We had Vuurmuur installed which has a live traffic view...we literally watched our rules in Vuurmuur ACCEPT, followed immediately by PVE issuing a DROP. This made it appear like there was two tables with two competing sets of rules.

Since you asked for this, here is the cluster firewall config:

[OPTIONS]

policy_in: ACCEPT
enable: 1

[RULES]

IN ACCEPT -p icmp -log nolog -icmp-type any
GROUP proxmox -i vmbr0
IN DROP -log nolog

[group proxmox]

IN ACCEPT -p udp -dport 5404:5405 -log nolog
IN ACCEPT -p tcp -dport 8006 -log nolog
IN ACCEPT -p tcp -dport 85 -log nolog
IN ACCEPT -p tcp -dport 111 -log nolog
IN ACCEPT -p tcp -dport 5900:5999 -log nolog
IN ACCEPT -p tcp -dport 22 -log nolog
IN ACCEPT -p tcp -dport 3128 -log nolog

We also use Fail2Ban on SSH, here is the cleansed output for iptables-save:

# Generated by iptables-save v1.8.7 on Mon Sep  5 15:12:17 2022
*raw
:PREROUTING ACCEPT [4096899:2629073691]
:OUTPUT ACCEPT [295346:178793848]
COMMIT
# Completed on Mon Sep  5 15:12:17 2022
# Generated by iptables-save v1.8.7 on Mon Sep  5 15:12:17 2022
*filter
:INPUT ACCEPT [140:8346]
:FORWARD ACCEPT [10221:635287]
:OUTPUT ACCEPT [90:10716]
:GROUP-proxmox-IN - [0:0]
:GROUP-proxmox-OUT - [0:0]
:PVEFW-Drop - [0:0]
:PVEFW-DropBroadcast - [0:0]
:PVEFW-FORWARD - [0:0]
:PVEFW-FWBR-IN - [0:0]
:PVEFW-FWBR-OUT - [0:0]
:PVEFW-HOST-IN - [0:0]
:PVEFW-HOST-OUT - [0:0]
:PVEFW-INPUT - [0:0]
:PVEFW-OUTPUT - [0:0]
:PVEFW-Reject - [0:0]
:PVEFW-SET-ACCEPT-MARK - [0:0]
:PVEFW-logflags - [0:0]
:PVEFW-reject - [0:0]
:PVEFW-smurflog - [0:0]
:PVEFW-smurfs - [0:0]
:PVEFW-tcpflags - [0:0]
:f2b-sshd - [0:0]
:veth100i0-IN - [0:0]
:veth100i0-OUT - [0:0]
:veth103i0-IN - [0:0]
:veth103i0-OUT - [0:0]
:veth103i1-IN - [0:0]
:veth103i1-OUT - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j f2b-sshd
-A INPUT -j PVEFW-INPUT
-A FORWARD -j PVEFW-FORWARD
-A OUTPUT -j PVEFW-OUTPUT
-A GROUP-proxmox-IN -j MARK --set-xmark 0x0/0x80000000
-A GROUP-proxmox-IN -p udp -m udp --dport 5404:5405 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -p tcp -m tcp --dport 8006 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -p tcp -m tcp --dport 85 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -p tcp -m tcp --dport 111 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -p tcp -m tcp --dport 5900:5999 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -p tcp -m tcp --dport 22 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -p tcp -m tcp --dport 3128 -g PVEFW-SET-ACCEPT-MARK
-A GROUP-proxmox-IN -m comment --comment "PVESIG:Kie2+hhlsZsVrtYe16AfvMb4DvQ"
-A GROUP-proxmox-OUT -j MARK --set-xmark 0x0/0x80000000
-A GROUP-proxmox-OUT -m comment --comment "PVESIG:tZr2a960IhOJdtNbHplv0z6TvE0"
-A PVEFW-Drop -j PVEFW-DropBroadcast
-A PVEFW-Drop -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Drop -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Drop -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Drop -p udp -m multiport --dports 135,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 137:139 -j DROP
-A PVEFW-Drop -p udp -m udp --sport 137 --dport 1024:65535 -j DROP
-A PVEFW-Drop -p tcp -m multiport --dports 135,139,445 -j DROP
-A PVEFW-Drop -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Drop -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Drop -p udp -m udp --sport 53 -j DROP
-A PVEFW-Drop -m comment --comment "PVESIG:83WlR/a4wLbmURFqMQT3uJSgIG8"
-A PVEFW-DropBroadcast -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type MULTICAST -j DROP
-A PVEFW-DropBroadcast -m addrtype --dst-type ANYCAST -j DROP
-A PVEFW-DropBroadcast -d 224.0.0.0/4 -j DROP
-A PVEFW-DropBroadcast -m comment --comment "PVESIG:NyjHNAtFbkH7WGLamPpdVnxHy4w"
-A PVEFW-FORWARD -m conntrack --ctstate INVALID -j DROP
-A PVEFW-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-FORWARD -m physdev --physdev-in fwln+ --physdev-is-bridged -j PVEFW-FWBR-IN
-A PVEFW-FORWARD -m physdev --physdev-out fwln+ --physdev-is-bridged -j PVEFW-FWBR-OUT
-A PVEFW-FORWARD -m comment --comment "PVESIG:qnNexOcGa+y+jebd4dAUqFSp5nw"
-A PVEFW-FWBR-IN -m physdev --physdev-out veth100i0 --physdev-is-bridged -j veth100i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i0 --physdev-is-bridged -j veth103i0-IN
-A PVEFW-FWBR-IN -m physdev --physdev-out veth103i1 --physdev-is-bridged -j veth103i1-IN
-A PVEFW-FWBR-IN -m comment --comment "PVESIG:1GVtyKCqPoPpVXcxuMiz5bQXcac"
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth100i0 --physdev-is-bridged -j veth100i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i0 --physdev-is-bridged -j veth103i0-OUT
-A PVEFW-FWBR-OUT -m physdev --physdev-in veth103i1 --physdev-is-bridged -j veth103i1-OUT
-A PVEFW-FWBR-OUT -m comment --comment "PVESIG:mXQMl8JJRT3Qbo8XNwsin1sfo2E"
-A PVEFW-HOST-IN -i lo -j ACCEPT
-A PVEFW-HOST-IN -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-IN -p igmp -j RETURN
-A PVEFW-HOST-IN -s x.x.x.x/32 -d x.x.x.x/32 -i vmbr0 -p tcp -m tcp --dport 655 -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type any -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -j GROUP-proxmox-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -s x.x.x.x/32 -d x.x.x.x/32 -i vmbr0 -p tcp -m tcp --dport 655 -j RETURN
-A PVEFW-HOST-IN -p icmp -m icmp --icmp-type any -j RETURN
-A PVEFW-HOST-IN -i vmbr0 -j GROUP-proxmox-IN
-A PVEFW-HOST-IN -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-IN -j DROP
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-IN -p tcp -m set --match-set PVEFW-0-management-v4 src -m tcp --dport 60000:60050 -j RETURN
-A PVEFW-HOST-IN -j RETURN
-A PVEFW-HOST-IN -m comment --comment "PVESIG:CWGHnPvCjoonuZQou6UuwIs1UTM"
-A PVEFW-HOST-OUT -o lo -j ACCEPT
-A PVEFW-HOST-OUT -m conntrack --ctstate INVALID -j DROP
-A PVEFW-HOST-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PVEFW-HOST-OUT -p igmp -j RETURN
-A PVEFW-HOST-OUT -o vmbr0 -j GROUP-proxmox-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -o vmbr0 -j GROUP-proxmox-OUT
-A PVEFW-HOST-OUT -m mark --mark 0x80000000/0x80000000 -j RETURN
-A PVEFW-HOST-OUT -d x.x.x.x/29 -p tcp -m tcp --dport 8006 -j RETURN
-A PVEFW-HOST-OUT -d x.x.x.x/29 -p tcp -m tcp --dport 22 -j RETURN
-A PVEFW-HOST-OUT -d x.x.x.x/29 -p tcp -m tcp --dport 5900:5999 -j RETURN
-A PVEFW-HOST-OUT -d x.x.x.x/29 -p tcp -m tcp --dport 3128 -j RETURN
-A PVEFW-HOST-OUT -j RETURN
-A PVEFW-HOST-OUT -m comment --comment "PVESIG:5AwHZHZWtACMiGjfisci0I1qA58"
-A PVEFW-INPUT -j PVEFW-HOST-IN
-A PVEFW-INPUT -m comment --comment "PVESIG:+5iMmLaxKXynOB/+5xibfx7WhFk"
-A PVEFW-OUTPUT -j PVEFW-HOST-OUT
-A PVEFW-OUTPUT -m comment --comment "PVESIG:LjHoZeSSiWAG3+2ZAyL/xuEehd0"
-A PVEFW-Reject -j PVEFW-DropBroadcast
-A PVEFW-Reject -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A PVEFW-Reject -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A PVEFW-Reject -m conntrack --ctstate INVALID -j DROP
-A PVEFW-Reject -p udp -m multiport --dports 135,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 137:139 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --sport 137 --dport 1024:65535 -j PVEFW-reject
-A PVEFW-Reject -p tcp -m multiport --dports 135,139,445 -j PVEFW-reject
-A PVEFW-Reject -p udp -m udp --dport 1900 -j DROP
-A PVEFW-Reject -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A PVEFW-Reject -p udp -m udp --sport 53 -j DROP
-A PVEFW-Reject -m comment --comment "PVESIG:h3DyALVslgH5hutETfixGP08w7c"
-A PVEFW-SET-ACCEPT-MARK -j MARK --set-xmark 0x80000000/0x80000000
-A PVEFW-SET-ACCEPT-MARK -m comment --comment "PVESIG:Hg/OIgIwJChBUcWU8Xnjhdd2jUY"
-A PVEFW-logflags -j DROP
-A PVEFW-logflags -m comment --comment "PVESIG:MN4PH1oPZeABMuWr64RrygPfW7A"
-A PVEFW-reject -m addrtype --dst-type BROADCAST -j DROP
-A PVEFW-reject -s 224.0.0.0/4 -j DROP
-A PVEFW-reject -p icmp -j DROP
-A PVEFW-reject -p tcp -j REJECT --reject-with tcp-reset
-A PVEFW-reject -p udp -j REJECT --reject-with icmp-port-unreachable
-A PVEFW-reject -p icmp -j REJECT --reject-with icmp-host-unreachable
-A PVEFW-reject -j REJECT --reject-with icmp-host-prohibited
-A PVEFW-reject -m comment --comment "PVESIG:Jlkrtle1mDdtxDeI9QaDSL++Npc"
-A PVEFW-smurflog -j DROP
-A PVEFW-smurflog -m comment --comment "PVESIG:2gfT1VMkfr0JL6OccRXTGXo+1qk"
-A PVEFW-smurfs -s 0.0.0.0/32 -j RETURN
-A PVEFW-smurfs -m addrtype --src-type BROADCAST -g PVEFW-smurflog
-A PVEFW-smurfs -s 224.0.0.0/4 -g PVEFW-smurflog
-A PVEFW-smurfs -m comment --comment "PVESIG:HssVe5QCBXd5mc9kC88749+7fag"
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g PVEFW-logflags
-A PVEFW-tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g PVEFW-logflags
-A PVEFW-tcpflags -m comment --comment "PVESIG:CMFojwNPqllyqD67NeI5m+bP5mo"
-A f2b-sshd -s 61.177.173.20/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 179.43.155.196/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.50/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.35/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.98/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.108/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.37/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.49/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.36/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.53/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.52/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.51/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.48/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.47/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.46/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.173.39/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.90/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.19/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.124/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.114/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -s 61.177.172.104/32 -j REJECT --reject-with icmp-port-unreachable
-A f2b-sshd -j RETURN
-A veth100i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth100i0-IN -p udp -m udp --dport 1194 -j ACCEPT
-A veth100i0-IN -j DROP
-A veth100i0-IN -j ACCEPT
-A veth100i0-IN -m comment --comment "PVESIG:T9fcPpV5sUkjZVKe1kMzc7aYXZs"
-A veth100i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth100i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth100i0-OUT -m comment --comment "PVESIG:o0+oSK2K63BSenHYls+lolXaHvY"
-A veth103i0-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i0-IN -j ACCEPT
-A veth103i0-IN -m comment --comment "PVESIG:As6KRnNJMyq1JFx/W4bBXN/2XgI"
-A veth103i0-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i0-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i0-OUT -m comment --comment "PVESIG:lxiTwPzICA1pTgyI8Jdk0fk4G9w"
-A veth103i1-IN -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A veth103i1-IN -j ACCEPT
-A veth103i1-IN -m comment --comment "PVESIG:wTL0uExsSaDsxtY5qoB/wP8nCXA"
-A veth103i1-OUT -p udp -m udp --sport 68 --dport 67 -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -j MARK --set-xmark 0x0/0x80000000
-A veth103i1-OUT -g PVEFW-SET-ACCEPT-MARK
-A veth103i1-OUT -m comment --comment "PVESIG:0kkURfbt6WPYbDhB82s82Fb6vl8"
COMMIT
# Completed on Mon Sep  5 15:12:17 2022

Regards,
J

 

[fabian]

given your config, the firewall is not disabled (the cluster FW config is set to enabled!). if you disable it, the rules should be dropped a few seconds later (provided the firewall service is running). alternatively, disabling and masking the pve-firewall service and rebooting should also completely disable the firewall, although parts of PVE that only check the config files will then be confused by the discrepancy between config and runtime.

 

[spirit]

enable: 1 -> 0 , done

(or systemctl stop pve-firewall)