Locked out myself as soon as enabled datacenter firewall

[Saahib]

Hi,

I have been exploring Proxmox VE from last couple days and finally managed to get it working way I wanted. (almost). Unlike all other stuff, for firewall, I decided enable it first and read docs to configure it later. I also had impression that firewall by default will not block access to GUI or should have some auto mechanism to whitelist IP from which proxmox is first installed. My mistake

I had just enabled "datacenter" level firewall only ie. Datacenter---> Firewall--> Options --> enable and poof, now I can't access anything on server. Had also changed SSH port for something else other than 22. Now I am locked out of the node. Interestingly few my CT are working (I guess those were on differnet IP subnet), but those who were on same subnet / ip-range as with hosts are inaccessible.

I know need to login to rescue mode , chroot filesystem and then disable firewall.

Have seen similar thread :
https://forum.proxmox.com/threads/h...ter-lock-out-datacenter-level-firewall.60557/

So, essentially we disable firewall temporary, login to GUI and then either create proper rules or disable datacenter firewall .

Is don't have any flag somewhere in config to "enable" or "disable" datacenter level firewall instead of stopping firewall service altogether. ?

 

[mira]

You can find the option in /etc/pve/firewall/cluster.fw
By default the firewall allows access from the same /24 subnet the host is in. So you should still be able to access it from a different host in the same subnet.

 

[Saahib]

Unfortunately I don't have access to any machine with same subnet as of host.
But I am wondering if it blocks all traffic then why only traffic of VM on same subnet is only blocked, but VM/CT with different subnet on same host is accessible.

I wish there had been some warning or confirmation call when a person enables FIREWALL on host level / datacenter level.

 

[ph0x]

Well, what did you think would happen if you enable the firewall with policy "DROP"? It's a firewall after all, not a playground.

VM/CT firewall rules are defined under the respective VM options, therefore they are unaffected by the host's rules.

Reading the documentation beforehand would probably be recommended.
https://pve.proxmox.com/wiki/Firewall

The ports needed to reach the GUI are mentioned there, by the way.

 

[ph0x]

By default the firewall allows access from the same /24 subnet the host is in.

@mira Is there documentation about that?

Because this explains why my firewall rule to only allow 8006 IN from the pve hosts and no one else doesn't match. I still have to have a DROP rule, even with policy set to "REJECT".

Even the documentation says, that 8006, 22, 3128 and 5900-5999 are open for the management hosts (which I translate to "members of the IP set 'management' ...") and not for the whole subnet.
But my experience says that you're absolutely right with your statement, so probably the documentation should be changed!?

 

[mira]

Yes, this is documented here [0] (13.2.1):

If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network.

Please open a SSH connection to one of your Proxmox VE hosts before enabling the firewall. That way you still have access to the host if something goes wrong .

Actually it is not /24, but rather what you chose for your subnet.


[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_configuration_files

 

[ph0x]

I see, thank you! It's still contrary to the wiki, though.

 

[mira]

No, it is not contrary to the wiki as the wiki page is generated from the same source as the docs.

 

[ph0x]

I see some logical flaws in your argumentation.

The wiki says, that 8006, 22, 3128 and 5900-5999 are open for the management hosts.
The docs say, that 8006 and 22 are open for the local network.

Even if you don't consider it contrary (which I do), it's still not the same and first of all very misleading.