PVE 8 pve-firewall status no such alias

Dec 30, 2020
10
1
8
Hello,
I installed a new (virtual) PVE 8 instance and created a firewall config with the WebGUI
  • alias
    a_intern -- 10.10.68.0/24
  • ip_set
    s_intern -- a_intern
  • security group
    g_intern -- ACCESS tcp +s_intern 22,8006
and assigned this group to vmbr0 in a firewall rule:

Code:
cat  /etc/pve/firewall/cluster.fw

[OPTIONS]
enable: 1

[ALIASES]
a_intern 10.10.68.0/24

[IPSET s_intern]
dc/a_intern

[RULES]
GROUP g_intern -i vmbr0

[group g_intern]
IN ACCEPT -source +dc/s_intern -p tcp -dport 22,8006 -log nolog

But this does not work! (blocked myself out)

pve-firewall status gives: no such alias 'a_intern'

Changing
Code:
[IPSET s_intern]
dc/a_intern
to
Code:
[IPSET s_intern]
a_intern
makes the firewall working as configured.

Please fix the GUI to create a correct config
  • aliases without dc/ in ip_set
  • or create global aliases with dc/ prefix
  • or?
Thanks,
Gerald
 
Hello,

I just want to say that this is quite a big issue, as i locked myself out due to this.... :(

Thank you!
 
You can get around it by manually editing the file /etc/pve/firewall/cluster.fw and delete the "dc/" prefix from the IPSets or add the "dc/" prefix to Aliases.. At least that's what I did.
 
I had the same problem, I think the problem is while parsing the [ IPSET ] section
Under [ RULES ] it works with or without the dc, I tested both, and it works

Both
IN SSH(ACCEPT) -source +dc/gerencia -log nolog
And
IN SSH(ACCEPT) -source +gerencia -log nolog
Worked for me


Below is my full configuration
(Sorry for any mistake, i'm from Brazil)

Code:
[OPTIONS]


enable: 1

policy_in: DROP


[ALIASES]


localwf 10.10.100.0/24

local-felipe 192.168.10.0/24

gerencia-PUBLIC PUBLIC/29


[IPSET gerencia]


localwf

gerencia-PUBLIC

local-felipe


[RULES]


GROUP gerencia-pve


[group gerencia-pve] # Allow all ports used by proxmox to ips in ipset gerencia


IN VNC(ACCEPT) -source +dc/gerencia -log nolog

IN SSH(ACCEPT) -source +dc/gerencia -log nolog # PVE SSH

IN ACCEPT -source +dc/gerencia -p tcp -dport 8006 -log nolog # PVE WEB


[group ssh-gerencia] # Aceita SSH dos ips de gerencia


IN SSH(ACCEPT) -source +dc/gerencia -log nolog
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!