Problem Getting pve firewall to work

Awmusic12635

New Member
Feb 24, 2015
5
0
1
I currently have the firewall disabled. I read in the docs that both ssh and port 8006 needs to be open when you enable the firewall since by default it drops. I added the rules however it still seems to block access to the web console port 8006 when I enable the firewall.

What am I doing wrong?

cat /etc/pve/firewall/cluster.fw
Code:
[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

[RULES]
#TYPE ACTION [OPTIONS]
#TYPE MACRO(ACTION) [OPTIONS]

# -i      <INTERFACE>
# -source <SOURCE>
# -dest   <DEST>
# -p      <PROTOCOL>
# -dport  <DESTINATION_PORT>
# -sport  <SOURCE_PORT>

IN SSH(ACCEPT) -i vmbr0
IN ACCEPT -i vmbr0 -dport 8006
 
I added the rules however it still seems to block access to the web console port 8006 when I enable the firewall.

It´s not necessary to make a rule for this. It´s default.

cat /etc/pve/firewall/cluster.fw
Code:
[OPTIONS]
# enable firewall (cluster wide setting, default is disabled)
enable: 1

[RULES]
#TYPE ACTION [OPTIONS]
#TYPE MACRO(ACTION) [OPTIONS]

# -i      <INTERFACE>
# -source <SOURCE>
# -dest   <DEST>
# -p      <PROTOCOL>
# -dport  <DESTINATION_PORT>
# -sport  <SOURCE_PORT>

IN SSH(ACCEPT) -i vmbr0
IN ACCEPT -i vmbr0 -dport 8006


But you can define a rule, of course. The above has a mistake, correct would be:

Code:
IN ACCEPT -i vmbr0 -p tcp -dport 8006

To see more check

Code:
iptables-save
 
If it is default why when the firewall becomes enabled does the web interface become not accessible?

To precise it:

Default "allow access to portal" is only made for the main IP address, i.e. what you configured during installation process assigned to Proxmox´s hostname. Can be found in

Code:
cat /etc/hostname
cat /etc/hosts

Moreover: you have a mistake in your firewall config file!
 
To precise it:

Default "allow access to portal" is only made for the main IP address, i.e. what you configured during installation process assigned to Proxmox´s hostname. Can be found in

Code:
cat /etc/hostname
cat /etc/hosts

Moreover: you have a mistake in your firewall config file!

Thank you that did solve the issue of the web panel. One final question, how do I get the firewall to work with my openvz venet containers? Rules added to them seem to have no effect.
 
Thank you that did solve the issue of the web panel. One final question, how do I get the firewall to work with my openvz venet containers? Rules added to them seem to have no effect.

In general: venet0 is not a NIC as usual (also not a virtual one); it is a virtual adapter in the host used by the container. You cannot set a firewall for that.

But you can define a rule for the host instead which will have the required effect - post your settings you tried and give a short description what is the scope.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!