Proxmox VE firewall delay

dqq

Active Member
Jan 30, 2020
34
1
28
54
Hi,

We use proxmox firewall to manage access rights to fleet of our CTs (70+ concurently running CTs).

I have observed couple of problems:

1)
- Created container does have default INPUT and OUTPUT policy to DROP
When adding new network card to container with firewall=1 parameter, we can observe, that it is possible to connect to CT for short amount of time after which firewall policies start working

Question: Is it possible to make this process instantenous? When adding new NIC with firewall it should work from the beginning (from the first packet)

2)
- Created container does have default INPUT and OUTPUT policy to DROP
- New security group is inserted to CT allowing for SSH connections from other machine

Here comes delay problem again: Sometimes, we are able to connect to CT after just 1,5s of adding accept rule to CT, but sometimes we have to wait 30-60s for rule to start accepting traffic to CT

Question: Is it possible to make this process instantenous? We would like to be able connect to CT in short amout of time after adding corresponding rule (1s-2s at max)


Thanks for help!
 
Here comes delay problem again: Sometimes, we are able to connect to CT after just 1,5s of adding accept rule to CT, but sometimes we have to wait 30-60s for rule to start accepting traffic to CT

Question: Is it possible to make this process instantenous? We would like to be able connect to CT in short amout of time after adding corresponding rule (1s-2s at max)

This is strange, pve-firewall daemon update rules each 10s max

Code:
/usr/share/perl5/PVE/Service/pve_firewall.pm
...
my $updatetime = 10;

you can try to edit this file, reduce updatetime value and restart pve-firewall service.

Currently, they are no pve-firewall command to force generation of rules
 
  • Like
Reactions: aasami
This is strange, pve-firewall daemon update rules each 10s max

Code:
/usr/share/perl5/PVE/Service/pve_firewall.pm
...
my $updatetime = 10;

you can try to edit this file, reduce updatetime value and restart pve-firewall service.

Currently, they are no pve-firewall command to force generation of rules

@spirit - is it some sort of hack, or is it designed/intended way?

The worst is that, firewall rules are not enforced upon creation of NIC with firewall enabled for some period of time, which in turn does not guarantee any protection before adding NIC and applying firewall rules - even default ones, created during CT creation
 
@spirit - is it some sort of hack, or is it designed/intended way?

the daemon update each 10s to avoid too much cpu usage.

The worst is that, firewall rules are not enforced upon creation of NIC with firewall enabled for some period of time, which in turn does not guarantee any protection before adding NIC and applying firewall rules - even default ones, created during CT creation

But yes, it could be a problem. (For live migration for example, firewall rules are not updated until the vm configuration file is moved).
Maybe could you fill a request to bugzilla.proxmox.com ? (Maybe something like : "apply firewall rules on vm/ct start && nic hotplug)
 
@spirit - no change, still waiting ~10s for ssh.

Is it maybe another part of system that is making 10s cycles, for example IP assign to CT?
 
You also might want to select the advanced button when adding the NIC, and uncheck the "connected" button. That way your NIC is not connected to the network yet. Create your FW rules, then go back to connect the NIC to the network.
This is my process for VMs, though I have not tested to see if there is a lag time when doing so.

Note: this will not work for CT because there is no "disconnect" feature. In that case, you might be able to apply a "bridge to nowhere" or put in a non-existent VLAN temporarily until you get the FW rules built.

John
 
@Jonesy we use Proxmox HTTP API for managing our cluster. If you want to add a NIC without IP and after that, assign it an IP, you do have to make 2 separate HTTP requests, that define full NIC properties - therefore it will not work (basically you do add NIC again during IP assignment)
 
@dqq what if you give it an internal bridge, then switch it later? Or give it a VLAN that does not allow traffic, then switch it later? Would either of those work without re-creating the NIC? Just some ideas. Many times when setting up a CT, I assign it to my storage VLAN, then after everything looks good I change the VLAN to the external network, if that is what is needed.

John
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!