PVE 8 pve-firewall status no such alias

Dec 30, 2020
13
1
23
Hello,
I installed a new (virtual) PVE 8 instance and created a firewall config with the WebGUI
  • alias
    a_intern -- 10.10.68.0/24
  • ip_set
    s_intern -- a_intern
  • security group
    g_intern -- ACCESS tcp +s_intern 22,8006
and assigned this group to vmbr0 in a firewall rule:

Code:
cat  /etc/pve/firewall/cluster.fw

[OPTIONS]
enable: 1

[ALIASES]
a_intern 10.10.68.0/24

[IPSET s_intern]
dc/a_intern

[RULES]
GROUP g_intern -i vmbr0

[group g_intern]
IN ACCEPT -source +dc/s_intern -p tcp -dport 22,8006 -log nolog

But this does not work! (blocked myself out)

pve-firewall status gives: no such alias 'a_intern'

Changing
Code:
[IPSET s_intern]
dc/a_intern
to
Code:
[IPSET s_intern]
a_intern
makes the firewall working as configured.

Please fix the GUI to create a correct config
  • aliases without dc/ in ip_set
  • or create global aliases with dc/ prefix
  • or?
Thanks,
Gerald
 
Hello,

I just want to say that this is quite a big issue, as i locked myself out due to this.... :(

Thank you!
 
You can get around it by manually editing the file /etc/pve/firewall/cluster.fw and delete the "dc/" prefix from the IPSets or add the "dc/" prefix to Aliases.. At least that's what I did.
 
I had the same problem, I think the problem is while parsing the [ IPSET ] section
Under [ RULES ] it works with or without the dc, I tested both, and it works

Both
IN SSH(ACCEPT) -source +dc/gerencia -log nolog
And
IN SSH(ACCEPT) -source +gerencia -log nolog
Worked for me


Below is my full configuration
(Sorry for any mistake, i'm from Brazil)

Code:
[OPTIONS]


enable: 1

policy_in: DROP


[ALIASES]


localwf 10.10.100.0/24

local-felipe 192.168.10.0/24

gerencia-PUBLIC PUBLIC/29


[IPSET gerencia]


localwf

gerencia-PUBLIC

local-felipe


[RULES]


GROUP gerencia-pve


[group gerencia-pve] # Allow all ports used by proxmox to ips in ipset gerencia


IN VNC(ACCEPT) -source +dc/gerencia -log nolog

IN SSH(ACCEPT) -source +dc/gerencia -log nolog # PVE SSH

IN ACCEPT -source +dc/gerencia -p tcp -dport 8006 -log nolog # PVE WEB


[group ssh-gerencia] # Aceita SSH dos ips de gerencia


IN SSH(ACCEPT) -source +dc/gerencia -log nolog