pve-firewall webui controls broken v8.3.0

[mkeys]

Hi all,
I wanted to point out some things I have noticed regarding the firewall service not operating as expected. I searched bugzilla but didn't see anything about it. I'd like to check with the community as to if you're able to reproduce this behavior, if it's expected, etc.


1. Within the webui at the Datacenter level, if you disable the firewall it does not disable the firewall service on the cluster members. Steps to reproduce, toggle firewall off, reboot hosts within the datacenter.



2. Within the webui at the server level, if you disable the firewall it does not disable the firewall service on that host. Also note there are options that are not available at the Datacenter level, which is a bit unexpected. Steps to reproduce - toggle firewall to no, check 'systemctl status pve-firewall.service'. Reboot the host. Recheck 'systemctl status pve-firewall.service'.



3. If you manually 'systemctl stop pve-firewall.service', followed by 'systemctl disable pve-firewall.service', then reboot the host and recheck status upon first login, it will be running again.



Regards,
Matt

 

[shanreich]

This toggle does not disable the firewall daemon, but it governs whether the firewall daemon generates rules or not. You can check by running iptables-save whether there are firewall rules generated or not.

 

[mkeys]

This toggle does not disable the firewall daemon, but it governs whether the firewall daemon generates rules or not. You can check by running iptables-save whether there are firewall rules generated or not.

Is it expected for pve-firewall or proxmox-firewall service to start when it's disabled at datacenter and host level?

 

[shanreich]

Is it expected for pve-firewall or proxmox-firewall service to start when it's disabled at datacenter and host level?

Yes, the daemons start - but don't do anything.