[SOLVED] PVE Firewall not filtering anything

Jun 21, 2011
48
3
28
Hi! I have a 7 node production cluster with HA and Ceph storage. Every node is running Proxmox 5.4. I recently found out that firewall is not working at all (it was working when we last checked, some months ago): every port of every VM is opened even though per policy should be closed!
It seems like the firewall is disabled, but it is enabled at datacenter level, node level and VM level. Also pve-firewall service seems to be running:
pvefw running.png
If I run iptables -L I also get a tons of rules...they seem to be the correct rules...
But any VM is accessible on any port, even though the INPUT policy is DROP and no ACCEPT rule is configurated.
Do you have any idea? Please remember that this is a production cluster and I can't afford any downtime...
Thank you!
 

LnxBil

Famous Member
Feb 21, 2015
4,962
513
133
Germany
You need to enable the firewall on multiple levels:
- on Datacenter level
- on VM-level
- on NIC-VM-level

only if you enable firewall at all three levels, it'll work.
 

spirit

Famous Member
Apr 2, 2010
4,052
245
83
www.odiso.com
also check that firewall is enable on vm/ct nics + vm/ct options

and "sysctl -a |grep call":

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
 
Jun 21, 2011
48
3
28
also check that firewall is enable on vm/ct nics + vm/ct options

and "sysctl -a |grep call":

net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
I confirm that firewall is enabled on VM's nics (and on their options too). But sysctl returns this instead..what does this mean?
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
 

LnxBil

Famous Member
Feb 21, 2015
4,962
513
133
Germany
If I run iptables -L I also get a tons of rules...they seem to be the correct rules...
You have to follow then, e.g. list INPUT, then see where the packages go. PVE created a lot of rules and tables, but you can follow it. Can you post an analysis here?
 

spirit

Famous Member
Apr 2, 2010
4,052
245
83
www.odiso.com
I confirm that firewall is enabled on VM's nics (and on their options too). But sysctl returns this instead..what does this mean?
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
Well, filtering occur at bridge level, but use iptables instead ebtables (because we need to filter ip address, ports,..)

This param is some kind of hack in the kernel, to send bridge filtering packets to iptables.

It should be enabled by pve-firewall when it's starting. (you can try to restart pve-firewall). you can also force it in
/etc/sysctl.d/pve.conf.
 
Jun 21, 2011
48
3
28
Well, filtering occur at bridge level, but use iptables instead ebtables (because we need to filter ip address, ports,..)

This param is some kind of hack in the kernel, to send bridge filtering packets to iptables.

It should be enabled by pve-firewall when it's starting. (you can try to restart pve-firewall). you can also force it in
/etc/sysctl.d/pve.conf.
Thank you so much, we verified and on 6 out of 7 Proxmox nodes the variables net.bridge.bridge-nf-call-iptables and net.bridge.bridge-nf-call-ip6tables were both set to 0. The only node with those variables set to 1 was the only node on which the firewall worked. It was also the node with the lowest uptime (it had an hardware failure, was repaired and rebooted 2 weeks ago). I think that on all the others node, which have an uptime > 200 days, some system updates set those variables to 0.
A pve-firewall restart on all nodes fixed the problem, setting those variables to 1 and finally making the firewall do what it should do.
Thank you so much @spirit !
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!