I have weird and inconsistent behavior in using security groups. A few containers only have this security group applied, its working fine on one, traffic can get through on all the others.
Firewall is enabled on the datacenter, host, and container/VM level
/etc/pve/firewall/cluster.fw aliases and security groups:
201.fw:
203.fw:
pinging from 201 (should be dropped):
pinging from 203 (successfully dropped):
In fact I have 2 more containers using the same security group but none of them follow the rule except 203. I know the rules are working on 203 because disabling the firewall/SG on 203 allows pinging again.
I've tried rebooting the server, pve-firewall restart, turning firewall on/off on every level but the behavior is consistent. 203 (which is the first container I assigned the security group to) is the only one that respects the rules
Firewall is enabled on the datacenter, host, and container/VM level
/etc/pve/firewall/cluster.fw aliases and security groups:
Code:
[ALIASES]
apache-main 192.168.1.1 # DNS and Reverse Proxy
internal 192.168.2.0/24 # Internal CT/VM
lan 192.168.0.0/16 # Local network
physical 192.168.0.0/24 # Physical machines
[group reverse_proxy] # Services behind proxy - last rule
IN ACCEPT -source wireguard -p tcp -dport 22 -log nolog # SSH
IN ACCEPT -source physical -p tcp -dport 22 -log nolog # SSH
IN ACCEPT -source lan -p tcp -dport 80 -log nolog # HTTP
IN ACCEPT -source lan -p tcp -dport 443 -log nolog # HTTPS
IN ACCEPT -source internal -log nolog # Accept incoming internal
IN DROP -source lan -log nolog # Drop incoming LAN
OUT ACCEPT -dest apache-main -p tcp -dport 53 -log nolog # DNS
OUT ACCEPT -dest apache-main -p udp -dport 53 -log nolog # DNS
OUT ACCEPT -dest internal -log nolog # Accept outgoing internal
OUT DROP -dest lan -log nolog # Drop outgoing LAN201.fw:
Code:
[OPTIONS]
enable: 1
[RULES]
GROUP reverse_proxy203.fw:
Code:
[OPTIONS]
enable: 1
[RULES]
GROUP reverse_proxypinging from 201 (should be dropped):
Code:
# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=64 time=0.048 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=64 time=0.049 ms
^C
--- 192.168.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2043ms
rtt min/avg/max/mdev = 0.039/0.045/0.049/0.004 mspinging from 203 (successfully dropped):
Code:
# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
^C
--- 192.168.1.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2044msIn fact I have 2 more containers using the same security group but none of them follow the rule except 203. I know the rules are working on 203 because disabling the firewall/SG on 203 allows pinging again.
I've tried rebooting the server, pve-firewall restart, turning firewall on/off on every level but the behavior is consistent. 203 (which is the first container I assigned the security group to) is the only one that respects the rules