[SOLVED] The Proxmox firewall lets everything pass, despite it being activated.

Sorcier180

Sorcier180

New Member
Proxmox Subscriber
Jul 21, 2023
5
1
3
Hello everybody

My Proxmox firewall lets everything pass, despite it being activated.

I configured and installed Proxmox a few years ago, as well as the integrated firewall. And everything worked perfectly until now.

I didn't hit anything in particular, and I have the impression that the problem occurred after the 8.2 update. Is there anything to modify or change with the new firewall?

I launched my terminal with a ping on a VM or the host, and I never managed to cut the ping with the firewall.

Have you ever encountered this problem?

I remain available if you need more information.

thank you so much
Arnaud
 
Last edited:
Can you give me some more detailed information?

From which IP are you pinging to where (IP of VM / host)?

Can you post the output of the following commands?
Code: 
iptables-save
systemctl status pve-firewall proxmox-firewall
 
shanreich said:
Can you give me some more detailed information?

From which IP are you pinging to where (IP of VM / host)?

Can you post the output of the following commands?
Code: 
iptables-save
systemctl status pve-firewall proxmox-firewall
Click to expand...
Hello Shanreich

The Proxmox host server is in a datacenter, behind a public IP (no NAT), and the same goes for the VMs.
And i ping from my home to my computer (i'm not giving you the IPs as i'm vulnerable or private)

Here is the result of the command :
root@prox1:~# systemctl status pve-firewall proxmox-firewall
○ pve-firewall.service
Loaded: masked (Reason: Unit pve-firewall.service is masked.)
Active: inactive (dead)

● proxmox-firewall.service - Proxmox nftables firewall
Loaded: loaded (/lib/systemd/system/proxmox-firewall.service; enabled; preset: ena>
Active: active (running) since Fri 2024-05-17 06:12:51 CEST; 4h 25min ago
Main PID: 2189 (proxmox-firewal)
Tasks: 1 (limit: 154403)
Memory: 3.7M
CPU: 16.643s
CGroup: /system.slice/proxmox-firewall.service
└─2189 /usr/libexec/proxmox/proxmox-firewall

May 17 06:35:01 prox1 proxmox-firewall[2189]: proxmox_firewall: error updating firewall>
lines 1-15

Thanks for your help
Arnaud
 
Seems like the pve-firewall service is masked, did you do anything regarding that? That shouldn't happen automatically in any case. Did you try to enable the new firewall?
 
shanreich said:
Seems like the pve-firewall service is masked, did you do anything regarding that? That shouldn't happen automatically in any case. Did you try to enable the new firewall?
Click to expand...

So no, I don't see it at all, I saw it yesterday, I tried to stop the firewall and restart it but it told me it was hidden, I didn't even know it was possible.

I updated the packages this morning, and restarted the server, but still the same problem ;-(
 
Is it possible that you accidentally masked the pve-firewall process? Anyway, this should be fixable as soon as you can give me the output of the following command:

Code: 
grep nftables /etc/pve/nodes/**/host.fw
 
shanreich said:
Is it possible that you accidentally masked the pve-firewall process? Anyway, this should be fixable as soon as you can give me the output of the following command:

Code: 
grep nftables /etc/pve/nodes/**/host.fw
Click to expand...
i don't see how i could have done it, i haven't touched anything lately.

Nothing comes up when i type in your order.
Here's what's in the "host.fw"

[OPTIONS]

enable: 1
tcp_flags_log_level: alert
smurf_log_level: alert
log_level_out: alert
log_level_in: alert
 
You should be able to simply unmask pve-firewall and restart it, for good measure:

Code: 
systemctl unmask pve-firewall && systemctl restart pve-firewall

Then check if it is running:

Code: 
systemctl status pve-firewall
 
You must log in or register to reply here.
Top Bottom