Locked out with firewall VE 3.3

NoMed

Member
Dec 9, 2014
8
1
23
Hello,

I have a big problem with the firewall. I have configured the firewall inside an container and then activated the firewall in the config file (/etc/pve/firewall).

After reboot, it was not possible to access the node via SSH or http. I can access the container with SSH, because I have configured this. Also the other ports on the container are well. Because of this, I think I am completely locked out from the node.

I tried to boot the node into rescuemode to disable the firewall. But this was not possible, because of the missing configfile. I know, that the configuration is stores in config.db (pmxcfs). You can get a lot of information on https://pve.proxmox.com/wiki/Proxmox_Cluster_file_system_(pmxcfs)

But how can I change the configuration inside the config.db?

Thank you. Hope I can solve this.

Best regards
NoMed
 
maybe you must started pve-cluster process in rescuemode.

and change
/etc/pve/firewall/cluster.fw

HTML:
[OPTIONS]

enable: 1

to

HTML:
[OPTIONS]

enable: 0

and reboot it.

 
maybe you must started pve-cluster process in rescuemode.

and change
/etc/pve/firewall/cluster.fw

HTML:
[OPTIONS]

enable: 1

to

HTML:
[OPTIONS]

enable: 0

and reboot it.


Yes, that is what I want to do. But I can not start or install pve-cluster in rescuemode, which is bootet via netboot.

Perhaps it is possible to mount config.db manually?
 
I have solved it!

I found another way to prohibit the start of the firewall. You can remove the pve-firewall temporatly from /etc/init.d.

So I could reboot the server in normal mode and disable the firewall in /etc/pve/firewall/cluster.fw.

No I will configure the node an restart the firewall.

Thanks for the great proxmox!
 
proxmox have self recovery mode.

Thanks for this information, is there any documentation about this feature? I can not find this.

One other problem I had todey: I have now configured the firewall of the node and vm. Now can access the node via SSH also with activated firewall. But how have the firewall to be configured, to access the webfrontend of proxmox with activated firewall? I opened port 8006 tcp, http and https but can not access the webfrontend.

Thank you.
 
Thanks for this information, is there any documentation about this feature? I can not find this.

One other problem I had todey: I have now configured the firewall of the node and vm. Now can access the node via SSH also with activated firewall. But how have the firewall to be configured, to access the webfrontend of proxmox with activated firewall? I opened port 8006 tcp, http and https but can not access the webfrontend.

Thank you.

Hi,
I have add some notes in the wiki, about the management ipset.
https://pve.proxmox.com/wiki/Proxmox_VE_Firewall#Standard_IP_set_.27management.27

Simply add your ips inside the ipset, and it should be ok.
 
Hi,
I have add some notes in the wiki, about the management ipset.
https://pve.proxmox.com/wiki/Proxmox_VE_Firewall#Standard_IP_set_.27management.27

Simply add your ips inside the ipset, and it should be ok.

Thanks for this information and the notes in the wiki. I have checked and It is working very well, if you have a fixed IP or range.

Problem is, that I do not have a fixed IP at the office. So I wanted to open the proxmox gui only if needed for every IP (via SSH). With older proxmox versions we stopped the apache for this.
 
Having similar issues. I've had proxmox fw running and had a rule defined. I updated network config for additional vmbr interface and after rebooting hostnode I get locked out (can't ssh or access webgui). I've tried some of the possible solutions on this thread with no luck. Seems like the proxmox firewall is very unstable with issues.
 
I rent a debian 8 root server.
I enabled the firewall in proxmox without forwarding port 22 and 8006 - and locked me out.
So I started the rescue mode, tried to mount these hdds:

HTML:
Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 4095 2048 1M 83 Linux
/dev/sda2 4096 16005119 16001024 7,6G 82 Linux swap / Solaris
/dev/sda3 * 16005120 18006015 2000896 977M 83 Linux
/dev/sda4 18006016 1953458175 1935452160 922,9G 83 Linux

to edit the 'cluster.fw' file.

HTML:
cd /mnt/etc/pve
is working
HTML:
cd /mnt/etc/pve/firewall
ist not:
HTML:
cd:cd:6: no such file or directory: /mnt/etc/pve/firewall

I found another "solution" and was editing: '/etc/default/pve-firewall'
I changed 'START_FIREWALL=yes' into
'START_FIREWALL=no'
and was rebooting normally - didn't work.

I asked the support, but it didn't reply yet and I am in hurry.
I hope someone can help me out.

Rhutos

/edit: Someone was helping me already.
 
Last edited:
I rent a debian 8 root server.
I enabled the firewall in proxmox without forwarding port 22 and 8006 - and locked me out.
So I started the rescue mode, tried to mount these hdds:

HTML:
Device Boot Start End Sectors Size Id Type
/dev/sda1 2048 4095 2048 1M 83 Linux
/dev/sda2 4096 16005119 16001024 7,6G 82 Linux swap / Solaris
/dev/sda3 * 16005120 18006015 2000896 977M 83 Linux
/dev/sda4 18006016 1953458175 1935452160 922,9G 83 Linux

to edit the 'cluster.fw' file.

HTML:
cd /mnt/etc/pve
is working
HTML:
cd /mnt/etc/pve/firewall
ist not:
HTML:
cd:cd:6: no such file or directory: /mnt/etc/pve/firewall

I found another "solution" and was editing: '/etc/default/pve-firewall'
I changed 'START_FIREWALL=yes' into
'START_FIREWALL=no'
and was rebooting normally - didn't work.

I asked the support, but it didn't reply yet and I am in hurry.
I hope someone can help me out.

Rhutos

/edit: Someone was helping me already.
Please post your resolution!
 
Can any one here say a solution to this problem of a example for recreate the file cluster.fw
Thanks
 
OK GUYS
The solution to the problem . And you can after SSh or go to the GUI
And deactivate the firewall for ever

Start your server in recovery mode go to the partition you have mount your files
example : /mnt/etc

Edit the file rc.local
and add the line
pve-firewall stop

That need to look like this

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

pve-firewall stop

exit 0
 
OK GUYS
The solution to the problem . And you can after SSh or go to the GUI
And deactivate the firewall for ever

Start your server in recovery mode go to the partition you have mount your files
example : /mnt/etc

i used the debian/jessie standard install https://pve.proxmox.com/wiki/Install_Proxmox_VE_on_Debian_Jessie
Can you please help, where i will find the rc.local?

I found it on /etc/rc.local but that didn't bring back access to the shell or the gui.

/mnt is empty
 
first you need to login us root
and have any editor like "nano "
nano /etc/rc.local
add before exit 0 this text: pve-firewall stop
now save
Ctl +x and Y in case you use nano
and reboot the server

That is in case you have access with normal shell root in case you have mounting the server with some recovery Linux VPN ask your server provider where is mounting the files fron the recovery server normally in that case the file can be in /mnt/etc/rc.local
 
first you need to login us root
and have any editor like "nano "
nano /etc/rc.local
add before exit 0 this text: pve-firewall stop
now save
Ctl +x and Y in case you use nano
and reboot the server

That is in case you have access with normal shell root in case you have mounting the server with some recovery Linux VPN ask your server provider where is mounting the files fron the recovery server normally in that case the file can be in /mnt/etc/rc.local

i rebooted the server in recovery mode and logged in with root via shell on port 22 (usually i changed the port to something else).
i did those changes about and checked, if the file was written. the file was empty before and after i changed it, it had the new content.
then i changed back to normal mode, ended the recovery mode via the hosters gui.

i still can't access proxmox, nor the shell on my special ssh port (nor on 22).

/mnt is empty.

i forgot so say, that my proxmox version is 4.4.x or something like that. but i think that isn't relevant, right?

now i go and ask the provider. thank until then.
 
Last edited:
Saved!

The provider told me, that the recovery system is a separate Ubuntu, which will let me mount the hard disks of my server. But i have to do this manually and they provided a README in the root's home.
I could establish the software raid and mount the harddisks. WIth that, i accessed the rc.local in /mnt/etc and inserted your content.
I finished the recovery modus, the host rebooted and there we go... GUI and SSH access working again!

Thank you for your advice, this save me many hours of reinstall and almost saved my life :-)
 
Hi all.
Another happy customer :) - just to tell that gineta's solutions worked for me. Thanks.
So, for other Sorcerer's apprentices (like I felt I was this time) to know:
If you don't have iKVM access - some sort of remote VNC provided by datacenter (if you do, check this thread: https://forum.proxmox.com/threads/urgent-firewall-locked-out.33825/#post-201988), then....
  1. Get datacentre to reboot machine in rescue mode;
  2. SSH to it (and / or SFTP)
  3. Perform the changes gineta suggests (post #13)
  4. Have the data center to set the machine for normal disk boot,
  5. reboot the machine
  6. voilá. yu are back in business
  7. reconfigure the machine's proxmox firewall to accept SSH and GUI access
  8. don't forget to remove the changes you made to rc.local (check fabian's post #12 on the above linked thread).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!