[SOLVED] The Proxmox firewall lets everything pass, despite it being activated.

[Sorcier180]

Hello everybody

My Proxmox firewall lets everything pass, despite it being activated.

I configured and installed Proxmox a few years ago, as well as the integrated firewall. And everything worked perfectly until now.

I didn't hit anything in particular, and I have the impression that the problem occurred after the 8.2 update. Is there anything to modify or change with the new firewall?

I launched my terminal with a ping on a VM or the host, and I never managed to cut the ping with the firewall.

Have you ever encountered this problem?

I remain available if you need more information.

thank you so much
Arnaud

 

[shanreich]

Can you give me some more detailed information?

From which IP are you pinging to where (IP of VM / host)?

Can you post the output of the following commands?

iptables-save
systemctl status pve-firewall proxmox-firewall

 

[Sorcier180]

Can you give me some more detailed information?

From which IP are you pinging to where (IP of VM / host)?

Can you post the output of the following commands?

iptables-save
systemctl status pve-firewall proxmox-firewall

Hello Shanreich

The Proxmox host server is in a datacenter, behind a public IP (no NAT), and the same goes for the VMs.
And i ping from my home to my computer (i'm not giving you the IPs as i'm vulnerable or private)

Here is the result of the command :
root@prox1:~# systemctl status pve-firewall proxmox-firewall
○ pve-firewall.service
Loaded: masked (Reason: Unit pve-firewall.service is masked.)
Active: inactive (dead)

● proxmox-firewall.service - Proxmox nftables firewall
Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: ena>
Active: active (running) since Fri 2024-05-17 06:12:51 CEST; 4h 25min ago
Main PID: 2189 (proxmox-firewal)
Tasks: 1 (limit: 154403)
Memory: 3.7M
CPU: 16.643s
CGroup: /system.slice/proxmox-firewall.service
└─2189 /usr/libexec/proxmox/proxmox-firewall

May 17 06:35:01 prox1 proxmox-firewall[2189]: proxmox_firewall: error updating firewall>
lines 1-15

Thanks for your help
Arnaud

 

[shanreich]

Seems like the pve-firewall service is masked, did you do anything regarding that? That shouldn't happen automatically in any case. Did you try to enable the new firewall?

 

[Sorcier180]

Seems like the pve-firewall service is masked, did you do anything regarding that? That shouldn't happen automatically in any case. Did you try to enable the new firewall?

So no, I don't see it at all, I saw it yesterday, I tried to stop the firewall and restart it but it told me it was hidden, I didn't even know it was possible.

I updated the packages this morning, and restarted the server, but still the same problem ;-(

 

[shanreich]

Is it possible that you accidentally masked the pve-firewall process? Anyway, this should be fixable as soon as you can give me the output of the following command:

grep nftables /etc/pve/nodes/**/host.fw

 

[Sorcier180]

Is it possible that you accidentally masked the pve-firewall process? Anyway, this should be fixable as soon as you can give me the output of the following command:

grep nftables /etc/pve/nodes/**/host.fw

i don't see how i could have done it, i haven't touched anything lately.

Nothing comes up when i type in your order.
Here's what's in the "host.fw"

[OPTIONS]

enable: 1
tcp_flags_log_level: alert
smurf_log_level: alert
log_level_out: alert
log_level_in: alert

 

[shanreich]

You should be able to simply unmask pve-firewall and restart it, for good measure:

systemctl unmask pve-firewall && systemctl restart pve-firewall

Then check if it is running:

systemctl status pve-firewall

 

[Sorcier180]

You should be able to simply unmask pve-firewall and restart it, for good measure:

systemctl unmask pve-firewall && systemctl restart pve-firewall

Then check if it is running:

systemctl status pve-firewall

Wonderful, it works, I'm so relieved!

Thank you so much for your help!

Long live Proxmox!