pve host ipv6, firewall, and ssh

[CanadaGuy]

I was reading here when I was deciding to configure IPv6 on my pve server:

https://pve.proxmox.com/wiki/Firewall

And there is this: "If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network.". However, it seems this only applies to IPv4. After enabling IPv6, I could not connect to my PVE host until I added an IPv6 rule to allow the same host I connect over IPv4 from. My IPv4 and IPv6 connections are on the same subnet (/24 and /64 respectively) as the PVE host, so I figured that should be covered but it's not.

Is this a configuration bug?

 

[nunner]

Hi,

the firewall creates both a PVEFW-0-management-v4 and a PVEFW-0-management-v6 chain, which are responsible for the management traffic. Please post the output of pve-firewall compile | grep management (in code tags). I'm suspecting that the firewall only grabs one of the addresses and adds it to to the relevant IPSet…

 

[CanadaGuy]

Hi,

the firewall creates both a PVEFW-0-management-v4 and a PVEFW-0-management-v6 chain, which are responsible for the management traffic. Please post the output of pve-firewall compile | grep management (in code tags). I'm suspecting that the firewall only grabs one of the addresses and adds it to to the relevant IPSet…

Hi, thanks for the reply. Here it is. I wasn't sure if that was base64 for a hash for something, so I removed it. Also hid IP6 prefix, but it's the /64 that I manage from. I do have a firewall added to the node (and it was there when I dumped this).

root@pve:~# pve-firewall compile | grep management
update PVEFW-0-management-v4 (base64 of something?)
        create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64 bucketsize 12
update PVEFW-0-management-v6 (base64 of something else?)
        create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64 bucketsize 12
        add PVEFW-0-management-v6 2001:my:management:prefix::/64
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN

I deleted my firewall rule for the node, and lost SSH connectivity. The outputs of that command look identical and I definitely can't SSH without the node firewall rule. It looks like it should work, but definitely doesn't.

root@pve:~# pve-firewall compile | grep management
update PVEFW-0-management-v4 (base64 of something?)
        create PVEFW-0-management-v4 hash:net family inet hashsize 64 maxelem 64 bucketsize 12
update PVEFW-0-management-v6 (base64 of something else?)
        create PVEFW-0-management-v6 hash:net family inet6 hashsize 64 maxelem 64 bucketsize 12
        add PVEFW-0-management-v6 2001:my:management:prefix::/64
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v4 src -p tcp --dport 60000:60050 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 8006 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 5900:5999 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 3128 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 22 -j RETURN
        -A PVEFW-HOST-IN -m set --match-set PVEFW-0-management-v6 src -p tcp --dport 60000:60050 -j RETURN

 

[nunner]

Strange… could you please also post the rule that you configured yourself?

 

[CanadaGuy]

IN ACCEPT -source 2001:my:ip::address -log nolog
IN ACCEPT -source 2001:my:subnet::/64 -p ipv6-icmp -log nolog

 

[nunner]

Is your IP address actually in your management subnet? By default, it's the subnet that the host itself resides in iirc. One thing you could try is create an IPSet called "management" on the cluster firewall and then explicitly add your IP there. See here [1].

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_ip_sets

 

[CanadaGuy]

Is your IP address actually in your management subnet? By default, it's the subnet that the host itself resides in iirc. One thing you could try is create an IPSet called "management" on the cluster firewall and then explicitly add your IP there. See here [1].

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pve_firewall_ip_sets

Yes it definitely is. I just tried the management IPSET and it worked, using an alias for my management PC IPv6 address. That same alias is used for the node firewall on port 22.