Theory Questions on Firewall

michaelf

Member
Oct 13, 2023
51
1
8
michaelfirsov.wordpress.com
Hello!

While learning the Proxmox's firewall today I was puzzled by the folloing issues: I was planning to create the two rules on Datacenter level - 1) Access to web console and 2) icmp access and make sure I would be able 1) to connect to the console and ping the server and 2) I would not be able to ssh to pve:

Q1.png

When testing ssh access I was first suprised to see it was working and then realized that I should have been locked out at all as I had fogotten to enter the port number (8006) instead of the HTTPS Macro in the rule 1 so

Q1: Why is the Datacenter firewall not working in this case?


And one more question on firewall, please:

As soon as I've noticed that I created the wrong rule I turned the Datacenter firewall off and checked whether the server-level firewall was off either:

Q2.png
Q2-1: Was it the enabling of Datacenter Firewall that also enabled the server-level firewall ( I did NOT enable the server-level firewall - I've even never reached that tab yet) ?

Q2-2: If Q2-1 = Yes then is it normal that disabling the Datacenter Firewall does not lead to disabling the server firewall?

Q2-3: Should the server-level firewall work if the Datacenter-firewall is turned of?


Thank you in advance,
Michael
 
Last edited:
Q1: I think the partial answer to this question is here: https://pve.proxmox.com/wiki/Firewall

"If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network."

- partial because it should not apply to icmp!

While playing around with the vm/container level firewalls I found one more problem: I've noticed that enabling a rule did work as expected while disabling the rule might not lead to the expected result until the container was restarted (stop/start) manually. Sometimes I saw the container restarting automatically as soon as I selected the checkbox in order to enable the rule.

Here's the example with the manual enabling the rule (I don't know how many times I should do this procedure to watch the container's autorestart again):

1) Rule 0 is disabled, ping does not work - ok:

01.png

2) I enable the rule 0 - Proxmox did not restart the container and I did not restart it either - nevetheless, the rule works ok:

02.png

3) I disable the rule 0 - this time Proxmox does not restart the container, I did not restart it - the result: the state of the rule has not changed: it kept working as if the checkbox was selected:

03.png

4) I manually restart the container: now the rule is really unchecked:

04.png


Regards,
Michael
 

Attachments

  • 03.png
    03.png
    111.3 KB · Views: 0