[URGENT] Firewall locked out

markus3

New Member
Mar 27, 2017
6
0
1
26
Hey,

i did a very, very stupid thing. I wanted to configure the firewall in Proxmox and forgot to keep the Proxmox and SSH port open, so everything is closed now. I cant connect to the server with SSH nor can I access the Proxmox Web GUI.

I already searched and tryed these things:
1) https://forum.proxmox.com/threads/locked-out-with-firewall-ve-3-3.20517/
2) dominicpratt.de/proxmox-firewall-deaktivieren/

But this didnt help. I dont think that I have done it wrong.

I booted into recovery mode, mounted the files, changed them and rebootet but didnt work. After, I rebootet again into the recovery mode and mounted again to check if the files were edited and yes they were.

My Proxmox version: 4
My Hoster: OVH (Dedicated Server)

This problem is very urgent because all vservers are offline. Hope somebody can help me!

Thanks in advance!
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,635
378
103
Hi,

go to the iKVM login.
Then edit /etc/pve/firewall/cluster.fw

and now set enable: 0

that is all
 
  • Like
Reactions: markus3

markus3

New Member
Mar 27, 2017
6
0
1
26
Hi,

go to the iKVM login.
Then edit /etc/pve/firewall/cluster.fw

and now set enable: 0

that is all
Thanks for helping but this doesnt work because this there isnt a firewall folder or cluster.fw file in there. I booted into rescue mode, mounted the folder but cant find these files (already searched whole folder for cluster.fw). But I have the rc.local or pve-firewall for example.

Thanks a lot. Hope somebody can help me out...
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,635
378
103
Yes because when you boot in rescue mode than pmxcfs is not mounted ans /et/pve is empty.

If you have no iKVM you can also remove the symlink and disable the pve-firewall.service

/etc/systemd/system/multi-user.target.wants/pve-firewall.service
 
  • Like
Reactions: markus3

markus3

New Member
Mar 27, 2017
6
0
1
26
Yes because when you boot in rescue mode than pmxcfs is not mounted ans /et/pve is empty.

If you have no iKVM you can also remove the symlink and disable the pve-firewall.service

/etc/systemd/system/multi-user.target.wants/pve-firewall.service
I changed the paths to the firewall in pve-firewall.service but it didnt work.

Hope I can fix this... Thanks!
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,635
378
103
I do not understand why you are using recovery image from ovh instead of login in normal?
The firewall will not prevent you form login the console (iKVM).
 
  • Like
Reactions: markus3

markus3

New Member
Mar 27, 2017
6
0
1
26
I do not understand why you are using recovery image from ovh instead of login in normal?
The firewall will not prevent you form login the console (iKVM).
I have problems with that. Also, I never used it.

I cant write anything on the Browser SOL method (Tryed on 2 Browsers) and the Java Applet Method throws an error all the time (I tryed to restart).

 

dinis

New Member
Mar 4, 2018
15
0
1
47
Hi..Looks like this is my turn.
I am in the same situation - but in /etc/systemd/system/multi-user.target.wants, I am not finding the pve-firewall.service.
I find:
cron.service
ipmievd.service
lm-sensors.service
remote-fs.target
rsync.service
rsyslog.service
smartd.service
sshd.service
sudo.service
systemd-networkd.service
systemd-resolved.service

ANy other means of stopping the firewall from loading?
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,635
378
103
You can mask the service what prevent it from starting.

Code:
ln -s /dev/null /etc/systemd/system/pve-firewall.service
 

wolfgang

Proxmox Staff Member
Staff member
Oct 1, 2014
5,635
378
103
The easiest way is if you can access the host over iKVM or direct.
If so you have only login and execute

Code:
pve-firewall stop
If you have no iKVM and can also not login, than you have may be a recovery boot from your provider to access the host.
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
3,829
594
133
You can mask the service what prevent it from starting.

Code:
ln -s /dev/null /etc/systemd/system/pve-firewall.service
but remember to remove the mask it after fixing your issue, otherwise future package upgrades of pve-firewall will fail and you'll break your installation.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!