Theory Questions on Firewall

michaelf

Member
Oct 13, 2023
51
1
8
michaelfirsov.wordpress.com
Hello!

While learning the Proxmox's firewall today I was puzzled by the folloing issues: I was planning to create the two rules on Datacenter level - 1) Access to web console and 2) icmp access and make sure I would be able 1) to connect to the console and ping the server and 2) I would not be able to ssh to pve:

Q1.png

When testing ssh access I was first suprised to see it was working and then realized that I should have been locked out at all as I had fogotten to enter the port number (8006) instead of the HTTPS Macro in the rule 1 so

Q1: Why is the Datacenter firewall not working in this case?


And one more question on firewall, please:

As soon as I've noticed that I created the wrong rule I turned the Datacenter firewall off and checked whether the server-level firewall was off either:

Q2.png
Q2-1: Was it the enabling of Datacenter Firewall that also enabled the server-level firewall ( I did NOT enable the server-level firewall - I've even never reached that tab yet) ?

Q2-2: If Q2-1 = Yes then is it normal that disabling the Datacenter Firewall does not lead to disabling the server firewall?

Q2-3: Should the server-level firewall work if the Datacenter-firewall is turned of?


Thank you in advance,
Michael
 
Last edited:
Q1: I think the partial answer to this question is here: https://pve.proxmox.com/wiki/Firewall

"If you enable the firewall, traffic to all hosts is blocked by default. Only exceptions is WebGUI(8006) and ssh(22) from your local network."

- partial because it should not apply to icmp!

While playing around with the vm/container level firewalls I found one more problem: I've noticed that enabling a rule did work as expected while disabling the rule might not lead to the expected result until the container was restarted (stop/start) manually. Sometimes I saw the container restarting automatically as soon as I selected the checkbox in order to enable the rule.

Here's the example with the manual enabling the rule (I don't know how many times I should do this procedure to watch the container's autorestart again):

1) Rule 0 is disabled, ping does not work - ok:

01.png

2) I enable the rule 0 - Proxmox did not restart the container and I did not restart it either - nevetheless, the rule works ok:

02.png

3) I disable the rule 0 - this time Proxmox does not restart the container, I did not restart it - the result: the state of the rule has not changed: it kept working as if the checkbox was selected:

03.png

4) I manually restart the container: now the rule is really unchecked:

04.png


Regards,
Michael
 

Attachments

  • 03.png
    03.png
    111.3 KB · Views: 0

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!