Proxmox Default rule Dynamic or static?

[ExoNos]

Hi,

I am wondering if Proxmox default rules are dynamically generated or statically defined, and if so where are they statically defined?

I noticed at the top of my pve-host IN chain I had a Accept All from everywhere entry

So i deleted it cause it made no sense to have it at the top and i figured it was proberly a dynamically generated default, but that user configured host.fw rules would take precedence anyway and proxmox would just dynamically generate it again seeing as no /etc/iptables/ folder existed and i could find no other configuration on the system with those rules hardcoded...

well like most things it quickily cascaded... i accidently ran the command twice and so deleted the entry below it as well:

2 DROP 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID

I then discovered that i could no longer access ssh or the gui

so i rebooted figuring it would just be restored...

it wasnt

• My chain now looks like

Spoiler

iptables -L PVEFW-HOST-IN -n --line-numbers
Chain PVEFW-HOST-IN (1 references)
num target prot opt source destination
1 PVEFW-smurfs 0 -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW
2 RETURN 2 -- 0.0.0.0/0 0.0.0.0/0
3 RETURN 6 -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:33265
4 RETURN 6 -- 192.168.1.0/24 192.168.1.90 tcp dpt:8006
5 RETURN 6 -- 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpt:8006
6 RETURN 6 -- 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpts:5900:5999
7 RETURN 6 -- 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpt:3128
8 RETURN 6 -- 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpt:22
9 RETURN 6 -- 0.0.0.0/0 0.0.0.0/0 match-set PVEFW-0-management-v4 src tcp dpts:60000:60050
10 PVEFW-Drop 0 -- 0.0.0.0/0 0.0.0.0/0
11 DROP 0 -- 0.0.0.0/0 0.0.0.0/0
12 0 -- 0.0.0.0/0 0.0.0.0/0 /* PVESIG:NVFPLbg2z/Vp8tNI4BAHLEIt6cc */

These:

3 RETURN 6 -- 192.168.1.0/24 0.0.0.0/0 tcp dpt:33265
4 RETURN 6 -- 192.168.1.0/24 192.168.1.90 tcp dpt:8006

are the only rules i have actually defined myself.

I have considered adding the rules to my host.fw to restore functionality but that seems untidy and i hate having rules on my iptables that apparently are stored nowhere yet neither are they generated anywhere...

Can anyone shed any light on this?

 

[ExoNos]

Ok, They are back so they are dynamically generated... just not when expected ie after a 'pve-firewall restart' an/or a 'service pve-firewall restart' and not even always after a reboot.... definately some weird vodoo with that and definately makes analysing behaviour difficult.

 

[ExoNos]

Ok, made this script which seems to make changing rules and observing there impact through trial and error more managable.

!/bin/bash
IPTABLES=/sbin/iptables

# Script to reload Proxmox firewall and compare .fw files with active iptables rules
set -e

echo "Stopping pve-firewall service..."
systemctl stop pve-firewall

echo "Flushing all iptables rules and deleting user chains..."
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t raw -F
$IPTABLES -X

echo "Waiting 10 seconds for network cleanup..."
sleep 10

echo "Starting pve-firewall service..."
systemctl start pve-firewall

echo "Firewall service restarted. Comparing .fw files with active iptables rules:"

# Save current iptables rules to a temporary file
$IPTABLES-save > /tmp/iptables_rules

# Loop through each .fw file in /etc/pve/firewall/ and /etc/pve/nodes/*/firewall/
find /etc/pve -path /etc/pve/nodes/*/firewall -o -path /etc/pve/firewall -type d -print0 |
  while IFS= read -r -d $'\0' dir; do
    find "$dir" -name "*.fw" -print0 |
      while IFS= read -r -d $'\0' fwfile; do
        echo "Checking file: $fwfile"
        grep -q -f "$fwfile" /tmp/iptables_rules
        if [ $? -eq 0 ]; then
          echo "All rules in $fwfile are present in iptables."
        else
          echo "WARNING: Some rules in $fwfile are missing from iptables!"
        fi
      done
  done

# Clean up the temporary file
rm /tmp/iptables_rules

echo "Done."