PVE-Firewall do not work on API

[bts28]

Hello all,

I have an error with the latest Proxomox (4.4-1) -> PVE-FIREWALL

So,

Place to the DC Firewall to Yes, Input and Output to ACCEPT
Enable Firewall Host to Yes
Enable Firewall CT to Yes

Container do not PING, all done

Add a firewall Rules to the CT in/out accept > I PING

Try to disable the rules > Do not ping > DONE

Now, try do enable/disable rule in/out with the api pvesh :

pvesh set /nodes/svm-11/lxc/101/firewall/rules/0 --enable 0
pvesh set /nodes/svm-11/lxc/101/firewall/rules/1 --enable 0

On this example, i have disable the rule.

BUT ! I can ping ! no refresh of iptable with the API PVESH

BUG ?!

I have try to test this process on 2 fresh host, same issue.


Sincerely
Nicolas

 

[dietmar]

You need to enable the firewall on the container network interface (and restart the container).

 

[bts28]

Hello Dietmar,

The firewall is already yes on the CT. Restart CT, but same problem.


Sincerely,

 

[dietmar]

Please can you post the container configuration file (/etc/pve/lxc/<CTID>.conf)?

 

[bts28]

Dear,

The file :

root@svm-10:~# cat /etc/pve/lxc/101.conf
arch: amd64
cpulimit: 1
cpuunits: 1024
hostname: test
memory: 512
net0: bridge=vmbr0,firewall=1,gw=GATEWAY,hwaddr=3A:65:63:36:62:34,ip=IPCT/32,ip6=dhcp,name=eth0,type=veth
ostype: debian
rootfs: local:101/vm-101-disk-1.raw,size=8G
swap: 512


Sincerely,

 

[dietmar]

Looks OK. And what is the content of the VM firewall file (/etc/pve/firewall/<vmid>.fw)?

 

[bts28]

Hello,

With this CT, i have enable the FW, enable rule IN/OUT, but do not ping...

root@svm-10:~# cat /etc/pve/firewall/101.fw
[OPTIONS]

enable: 1

[RULES]

|OUT ACCEPT
|IN ACCEPT


Sincerely