Possible Bug: Firewall Rules on LXC not applied until firewall=1 is manually set in .conf file

[finsel]

​

Hi everyone!

To ensure I documented the issue clearly and thoroughly, I used ChatGPT to help structure the problem, reproduce the steps, and suggest possible improvements.


Problem Summary:

When configuring a container-level firewall in the Proxmox GUI (Datacenter → CT → Firewall), outbound traffic rules (e.g., DROP OUT) do not take effect unless firewall=1 is explicitly set on the container's network interface in its config file (/etc/pve/lxc/XXX.conf).


This behavior is not clearly documented in the UI or the Proxmox wiki, and can lead users to believe that the firewall is malfunctioning, when in fact the filtering is silently disabled.

Steps to Reproduce:​

1. Create a new LXC container.
2. Enable the firewall globally, on the node, and on the container (GUI).
3. Add a rule in CT → Firewall → Rules:
   
   • Direction: OUT
   • Action: DROP
     
4. Start the container and test outbound connectivity (e.g., ping 1.1.1.1).
   
   • ➜ Traffic is still allowed.
5. Check container config file: firewall=1 is missing from the net0 line.
6. Manually edit /etc/pve/lxc/XXX.conf and change:
   
   

   net0: name=eth0,bridge=vmbr0,ip=192.168.1.10/24

   
   to:
   
   

   net0: name=eth0,bridge=vmbr0,ip=192.168.1.10/24,firewall=1

   
   
7. Restart the container: pct restart XXX
   
   • ➜ Firewall rules now apply correctly. Outbound traffic is blocked as expected.
     

Expected Behavior:​

If the firewall is enabled at all levels (Datacenter, Node, CT) and rules are present in the GUI, it should either:

• Automatically apply firewall=1 to the container’s NIC, or
• Warn the user in the GUI or logs that firewall=1 must be manually set for rules to take effect.
  

Suggested Fix or Improvement:​

• Add a visual warning or validation step in the GUI when creating firewall rules for containers that do not have firewall=1 set.
• Consider applying firewall=1 by default when enabling the firewall for an LXC container.
• Update documentation and tooltips to make this requirement clear.

​

 

[shanreich]

Do you have the nftables tech-preview enabled, or is this with the regular firewall?

 

[finsel]

Do you have the nftables tech-preview enabled, or is this with the regular firewall?

regular firewall, I think... is it just at node level, right?

[ nftables (tech preview): No ]

I have [ ebtables: Yes ] at datacenter level. I don't know if it's relevant.

 

[finsel]

@shanreich any news?

 

[bMorgan1]

I'm having the same issue with the regular firewall (No nftables).

When I enable [Firewall: Yes] at the container level, it is not reflected in /etc/pve/lxc/<id>.conf. I must manually use

pct set <id> -net0 [....],firewall=1,[....]

One of my many new containers for which I'm trying to enable the firewall worked as expected, but the rest ran into this issue. Very strange.

 

[shanreich]

HI, i finally got around to looking at this - sorry:

1. Check container config file: firewall=1 is missing from the net0 line.
2. Manually edit /etc/pve/lxc/XXX.conf and change:

Did you manually uncheck the firewall checkbox when creating the container? Because I created some containers on my test cluster (8.4) via the Web UI and it always set the firewall option to 1 automatically, so it should be enabled by default unless you explicitly disable the checkbox.

Or did you create the containers via CLI and not the Web UI? If you create the network device / container via the CLI, then you need to explicitly enable the firewall for the network device by setting firewall=1, otherwise the setting is omitted, whereas the web UI defaults the option to 1.

Automatically apply firewall=1 to the container’s NIC, or

This is not possible, since enabling the firewall selectively for certain NICs is a valid setup. We cannot just intransparently override settings for users. There are several valid reasons for having firewall rules configured and disabling the firewall selectively on a specific NIC.

Warn the user in the GUI or logs that firewall=1 must be manually set for rules to take effect.

Certainly something we should think about, but that might also show warnings for users that have their container set up intentionally that way and there's not really a way to detect whether the setup is intentional or not. If you want to, you can open an enhancement request in our Bugzilla for further discussion [1].

When I enable [Firewall: Yes] at the container level, it is not reflected in /etc/pve/lxc/<id>.conf. I must manually use

This is reflected in the firewall configuration of the container, since this is the container-level setting. You should find it in /etc/pve/firewall/<ctid>.fw. Did you create the container via the Web UI or via the CLI? As mentioned above, if you create the network device via the Web UI then firewall is set to 1 by default, but with the CLI you have to explicitly enable the firewall for the NIC.


[1] https://bugzilla.proxmox.com/

 

[finsel]

Did you manually uncheck the firewall checkbox when creating the container? Because I created some containers on my test cluster (8.4) via the Web UI and it always set the firewall option to 1 automatically, so it should be enabled by default unless you explicitly disable the checkbox.

Or did you create the containers via CLI and not the Web UI? If you create the network device / container via the CLI, then you need to explicitly enable the firewall for the network device by setting firewall=1, otherwise the setting is omitted, whereas the web UI defaults the option to 1.

Thanks for the clarification.

In my case, the containers were usually created using the scripts from https://community-scripts.github.io/ProxmoxVE/, and indeed, the firewall option is not set in the .conf file — it’s left out entirely. After creating the container with the script, if I enable the firewall via the GUI, the .conf file does not get updated to include firewall=1.

Additionally, I tested creating a container manually via the Web UI and intentionally unchecked the firewall checkbox during creation. Later, when enabling the firewall through the GUI, the firewall=1 line was still not added to the .conf file.

Hope this helps to clarify the behavior.

This is not possible, since enabling the firewall selectively for certain NICs is a valid setup. We cannot just intransparently override settings for users. There are several valid reasons for having firewall rules configured and disabling the firewall selectively on a specific NIC.

I totally understand your point, and I agree that overriding user settings silently wouldn't be ideal.

Just to clarify, I wasn't suggesting that the firewall should be enabled unilaterally or automatically. My point was rather that when the user enables the firewall explicitly through the Web UI after the container is created, one would expect the firewall=1 line to be added to the container’s .conf file.

Currently, it seems like enabling the firewall via the GUI after creation doesn't reflect that change in the config file, which can lead to confusion — especially since the rules appear in the interface but are silently ignored unless firewall=1 is manually set.


Thanks!

 

[shanreich]

Just to clarify, I wasn't suggesting that the firewall should be enabled unilaterally or automatically. My point was rather that when the user enables the firewall explicitly through the Web UI after the container is created, one would expect the firewall=1 line to be added to the container’s .conf file.

Not necessarily, if you have multiple network devices and intentionally disable the firewall for one, but not for the others, then this behavior would be both unexpected and undesirable. The firewall settings for the container and for the network device are separate and not tied together in any way, nor is it desirable for them to be tied together in the way described.

 

[bMorgan1]

This is reflected in the firewall configuration of the container, since this is the container-level setting. You should find it in /etc/pve/firewall/<ctid>.fw. Did you create the container via the Web UI or via the CLI? As mentioned above, if you create the network device via the Web UI then firewall is set to 1 by default, but with the CLI you have to explicitly enable the firewall for the NIC.

I created the containers via Web GUI and manually disabled the firewall checkbox. Indeed /etc/pve/firewall/<ctid>.fw matches the GUI configuration exactly.

Would it be possible to read the configuration for each NIC and allow each to be toggled in the GUI?
Perhaps like this?

[x] Enable Firewall (This edits the <ctid>.fw)

[ ] NIC 1 (These edit the <ctid>.conf files)​

[x] NIC 2​

 

[shanreich]

Would it be possible to read the configuration for each NIC and allow each to be toggled in the GUI?

This is already possible when editing the network device via the GUI.

 

[bMorgan1]

This is already possible when editing the network device via the GUI.

Oh! I see that now. Ignore my suggestion, then. I would appreciate the warning suggested by @finsel, though.