[URGENT] Firewall locked out

markus3

Active Member
Mar 27, 2017
6
0
41
31
Hey,

i did a very, very stupid thing. I wanted to configure the firewall in Proxmox and forgot to keep the Proxmox and SSH port open, so everything is closed now. I cant connect to the server with SSH nor can I access the Proxmox Web GUI.

I already searched and tryed these things:
1) https://forum.proxmox.com/threads/locked-out-with-firewall-ve-3-3.20517/
2) dominicpratt.de/proxmox-firewall-deaktivieren/

But this didnt help. I dont think that I have done it wrong.

I booted into recovery mode, mounted the files, changed them and rebootet but didnt work. After, I rebootet again into the recovery mode and mounted again to check if the files were edited and yes they were.

My Proxmox version: 4
My Hoster: OVH (Dedicated Server)

This problem is very urgent because all vservers are offline. Hope somebody can help me!

Thanks in advance!
 
Hi,

go to the iKVM login.
Then edit /etc/pve/firewall/cluster.fw

and now set enable: 0

that is all
 
  • Like
Reactions: markus3
Hi,

go to the iKVM login.
Then edit /etc/pve/firewall/cluster.fw

and now set enable: 0

that is all
Thanks for helping but this doesnt work because this there isnt a firewall folder or cluster.fw file in there. I booted into rescue mode, mounted the folder but cant find these files (already searched whole folder for cluster.fw). But I have the rc.local or pve-firewall for example.

Thanks a lot. Hope somebody can help me out...
 
Yes because when you boot in rescue mode than pmxcfs is not mounted ans /et/pve is empty.

If you have no iKVM you can also remove the symlink and disable the pve-firewall.service

/etc/systemd/system/multi-user.target.wants/pve-firewall.service
 
  • Like
Reactions: markus3
Yes because when you boot in rescue mode than pmxcfs is not mounted ans /et/pve is empty.

If you have no iKVM you can also remove the symlink and disable the pve-firewall.service

/etc/systemd/system/multi-user.target.wants/pve-firewall.service
I changed the paths to the firewall in pve-firewall.service but it didnt work.

Hope I can fix this... Thanks!
 
I do not understand why you are using recovery image from ovh instead of login in normal?
The firewall will not prevent you form login the console (iKVM).
 
  • Like
Reactions: markus3
I do not understand why you are using recovery image from ovh instead of login in normal?
The firewall will not prevent you form login the console (iKVM).

I have problems with that. Also, I never used it.

I cant write anything on the Browser SOL method (Tryed on 2 Browsers) and the Java Applet Method throws an error all the time (I tryed to restart).

a27e.png
 
Hi..Looks like this is my turn.
I am in the same situation - but in /etc/systemd/system/multi-user.target.wants, I am not finding the pve-firewall.service.
I find:
cron.service
ipmievd.service
lm-sensors.service
remote-fs.target
rsync.service
rsyslog.service
smartd.service
sshd.service
sudo.service
systemd-networkd.service
systemd-resolved.service

ANy other means of stopping the firewall from loading?
 
You can mask the service what prevent it from starting.

Code:
ln -s /dev/null /etc/systemd/system/pve-firewall.service
 
The easiest way is if you can access the host over iKVM or direct.
If so you have only login and execute

Code:
pve-firewall stop

If you have no iKVM and can also not login, than you have may be a recovery boot from your provider to access the host.
 
You can mask the service what prevent it from starting.

Code:
ln -s /dev/null /etc/systemd/system/pve-firewall.service

but remember to remove the mask it after fixing your issue, otherwise future package upgrades of pve-firewall will fail and you'll break your installation.
 
Hello everyone, I hope everyone managed to fix this problem. I've also made the mistake to activate the datacenter firewall and lost access in all remote ways (web, ssh...). So the recommendations above helped me understand where to go, but didn't fix completely the problem.
Finally I did it and wanted to share with you my solution:
- Entered my dedicated server in recovery mode with a ovh kernel (ovh is my provider) using the netboot option
- Logged in as root by ssh with provided credentials (not my usual root account)
- Mounted the fs where proxmox runs (in my case, it was a raid1 /dev/md1 20Gb). I had to create a directory to mount it (not directly into /mnt/, that won't work, /mnt/md1 worked fine).
- I've edited the service script at /mnt/md1/lib/systemd/system# vi pve-firewall.service
- Then I've changed the commands as follow:
Original:
[Service]
ExecStart=/usr/sbin/pve-firewall start
ExecStop=/usr/sbin/pve-firewall stop
ExecReload=/usr/sbin/pve-firewall restart

Changed:
[Service]
ExecStart=/usr/sbin/pve-firewall stop
ExecStop=/usr/sbin/pve-firewall stop
ExecReload=/usr/sbin/pve-firewall stop

- Saved the file and unmounted the /dev/md1 device
- Then I've restarted the server making it to boot from disk
So the firewall service wasn't able to start and I was able to enter the web interface and deactivate the datacenter firewall...
Hope you find it useful.
Oh! Then I've changed back the service script to its original state!
Best regards,
Esteban
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!