pve-firewall vs iptables/systemctl reporting discrepencies

[johnnyutahh]

Proxmox newbie here. In my PVE server...

1. If the pve-firewall is running (with policy_in: DROP like it says below, why does iptables report no rules (ie: everything is "accepted")?

2. what does 'disabled' mean in pve-firewall status = disabled/running? (systemctl status pve-firewall.service reports the service as enabled.)

Corresponding system details below.

$ pve-firewall status
Status: disabled/running
$
$ cat /etc/pve/firewall/cluster.fw
[OPTIONS]

policy_in: DROP

$
$ iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
$
$ pveversion ; date
pve-manager/6.2-11/22fb4983 (running kernel: 5.4.60-1-pve)
Mon 21 Sep 2020 01:12:17 PM CDT
$
$ systemctl status pve-firewall.service
● pve-firewall.service - Proxmox VE firewall
   Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-09-21 12:44:00 CDT; 28min ago
  Process: 25281 ExecStartPre=/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy (code=ex
  Process: 25283 ExecStartPre=/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy (code=ex
  Process: 25289 ExecStartPre=/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy (code=
  Process: 25290 ExecStart=/usr/sbin/pve-firewall start (code=exited, status=0/SUCCESS)
Main PID: 25291 (pve-firewall)
    Tasks: 1 (limit: 4915)
   Memory: 85.3M
   CGroup: /system.slice/pve-firewall.service
           └─25291 pve-firewall

Sep 21 12:43:59 pve systemd[1]: Starting Proxmox VE firewall...
Sep 21 12:44:00 pve pve-firewall[25291]: starting server
Sep 21 12:44:00 pve systemd[1]: Started Proxmox VE firewall.
$

 

[Dunuin]

Proxmox newbie here. In my PVE server...

1. If the pve-firewall is running (with policy_in: DROP like it says below, why does iptables report no rules (ie: everything is "accepted")?

2. what does 'disabled' mean in pve-firewall status = disabled/running? (systemctl status pve-firewall.service reports the service as enabled.)

Corresponding system details below.

$ pve-firewall status
Status: disabled/running
$
$ cat /etc/pve/firewall/cluster.fw
[OPTIONS]

policy_in: DROP

$
$ iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
$
$ pveversion ; date
pve-manager/6.2-11/22fb4983 (running kernel: 5.4.60-1-pve)
Mon 21 Sep 2020 01:12:17 PM CDT
$
$ systemctl status pve-firewall.service
● pve-firewall.service - Proxmox VE firewall
   Loaded: loaded (/lib/systemd/system/pve-firewall.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-09-21 12:44:00 CDT; 28min ago
  Process: 25281 ExecStartPre=/usr/bin/update-alternatives --set ebtables /usr/sbin/ebtables-legacy (code=ex
  Process: 25283 ExecStartPre=/usr/bin/update-alternatives --set iptables /usr/sbin/iptables-legacy (code=ex
  Process: 25289 ExecStartPre=/usr/bin/update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy (code=
  Process: 25290 ExecStart=/usr/sbin/pve-firewall start (code=exited, status=0/SUCCESS)
Main PID: 25291 (pve-firewall)
    Tasks: 1 (limit: 4915)
   Memory: 85.3M
   CGroup: /system.slice/pve-firewall.service
           └─25291 pve-firewall

Sep 21 12:43:59 pve systemd[1]: Starting Proxmox VE firewall...
Sep 21 12:44:00 pve pve-firewall[25291]: starting server
Sep 21 12:44:00 pve systemd[1]: Started Proxmox VE firewall.
$

1.) I think that pve policies should work like normal iptables "default policies". So it's first checked If the packet matches a rule and if no rule matched then the default policy will take into account. That way everything incoming is dropped if there is no rule telling the firewall to do something else (if you set the incoming policy to drop).

2.) PVE uses like 3 rings of firewalls. You need to setup and activate the Firewall for every VM, for every Proxmox host and for the datacenter. If you enable just the firewall for a VM or for a host the firewall isn't working until you also activate the firewall for the datacenter.
Look at "Datacenter -> Firewall -> Option -> Firewall -> Edit", "Datacenter -> Firewall -> Option -> Firewall -> Edit" and "YourVM -> Firewall -> Option -> Firewall -> Edit" if the checkboxes are all set. If not the firewall is disabled.

But don't forget to set a rule to allow incoming traffic on TCP port 8006 before setting all incoming policies to drop or you can't connect to the Webinterface to change the rules again. I'm not quite sure but I think you need that rule on the datacenter firewall and on the proxmox host firewall to be able to access the webinterface. Don't lock you out. I did that several times with my OpenWRT routers.

 

[fabian]

your firewall is disabled on a config level (you need to enable it on the cluster/datacenter and node level for it to become active for a particular node)