LXC firewalls with nftables on Proxmox 9

T

TheRealHenning

New Member
Aug 21, 2025
6
0
1
Hello everyone,
I have just setup a fresh Proxmox 9 install, added a Container and started firewalling the system. I enabled the firewall for the datacenter, the host and the container. Everything works fine except for the container firewall. I can see from the "nft list ruleset" output that the rules for the container are not added. The firewall is enabled on the virtual network adapters (2) of the LXC aswell as in the configuration menu of the container firewall under options. The default input policy is drop and I have two rules allowing traffic to a specific port on the container. I was quite suprised, when I saw I could connect to the ssh server on the container through its global IPv6. IPv4 is not a problem for me since I have to use NAT and without explicit rules no forwarding happens, but I guess since the set rules do not show up at all it does not work for either of the two.

Has anyone experienced the same behaviour?
 
Can you check the output of systemctl status proxmox-firewall ? How does the ruleset for the container look like?
 
The container ruleset consists of two allow in rules for a port on the container with IPv4 and IPv6 respectively. I've rebooted the host a few times and realized it sometimes works and sometimes doesnt. The output of systemctl status pve-firewall does not change, but pve-firewall status alsways shows pending changes.

Code: 
● pve-firewall.service - Proxmox VE firewall
     Loaded: loaded (/usr/lib/systemd/system/pve-firewall.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-08-22 10:06:11 CEST; 1min 5s ago
 Invocation: 0e5c797701b34e9baf656f942d4fe951
    Process: 1249 ExecStartPre=/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy (code=exited, status=0/SUCCESS)
    Process: 1254 ExecStartPre=/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy (code=exited, status=0/SUCCESS)
    Process: 1259 ExecStartPre=/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy (code=exited, status=0/SUCCESS)
    Process: 1262 ExecStart=/usr/sbin/pve-firewall start (code=exited, status=0/SUCCESS)
   Main PID: 1286 (pve-firewall)
      Tasks: 1 (limit: 38370)
     Memory: 103.5M (peak: 122.5M)
        CPU: 1.524s
     CGroup: /system.slice/pve-firewall.service
             └─1286 pve-firewall

Aug 22 10:06:10 SexyPotatoes systemd[1]: Starting pve-firewall.service - Proxmox VE firewall...
Aug 22 10:06:11 SexyPotatoes pve-firewall[1286]: starting server
Aug 22 10:06:11 SexyPotatoes systemd[1]: Started pve-firewall.service - Proxmox VE firewall.

I will try to find out why this happens. Does it maybe have to do with those pending changes?
 
The daemon for the nftables firewall is called proxmox-firewall - so you will need to check the status output of that!
 
My bad, I somehow misread that...
Here's the output:
Code: 
● proxmox-firewall.service - Proxmox nftables firewall
     Loaded: loaded (/usr/lib/systemd/system/proxmox-firewall.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-08-22 10:30:24 CEST; 1min 0s ago
 Invocation: 5bb7969a57af4699bcdff97dce1a8278
   Main PID: 1243 (proxmox-firewal)
      Tasks: 1 (limit: 38370)
     Memory: 3M (peak: 8M)
        CPU: 334ms
     CGroup: /system.slice/proxmox-firewall.service
             └─1243 /usr/libexec/proxmox/proxmox-firewall start

Aug 22 10:30:24 ***** systemd[1]: Started proxmox-firewall.service - Proxmox nftables firewall.
 
What is the output of the following commands?

Code: 
cat /etc/pve/firewall/<vmid>.fw

nft list ruleset

If need be, you can censor the IP addresses but please in a way that I can tell which IP addresses match and which don't!
 
Container Firewall looks like that:
Code: 
[OPTIONS]

policy_in: DROP
enable: 1

[RULES]

IN ACCEPT -i net0 -dest 10.0.0.50 -p udp -dport 51820 -log nolog # WireGuard
IN ACCEPT -i net1 -dest *external_container_IPv6* -p udp -dport 51820 -log nolog # WireGuard IPv6

The nftables ruleset is to long to put in the post so I attached it as a txt file.
Some of the datacenter rules are a little redundant still, but I don't think this should matter.
 

Attachments

Last edited:
TheRealHenning said:
*::50
Click to expand...
This isn't really a valid IPv6 address, so that's most likely the issue - it seems like it would accept any IPv6 address ending in 50. What ranges are you trying to allow?

(edited since I hit enter to early)
 
Last edited:
Sorry, I must have srewed up my regex. It's supposed to be the container IPv6. Changed it in the original post.
 
Last edited:
Yes, sorry, I was slightly confused by the original post. Is SSH running on port 22? From where are you connecting to the container?
 
SSH on the host and the container are running on 22. I don't want to be able to connect to anything on the container via the external IPv6 except for the WireGuard port. SSH was just easy to test.
 
You must log in or register to reply here.
Top Bottom