[PVE-User] about pve-firewall pending changes

[Alexandre DERUMIER]

ok, I'll test that monday.

can you also do

#pve-firewall compile

and send me the result ?

----- Mail original ----- 

De: "lyt_yudi" <lyt_yudi at icloud.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: "proxmoxve (pve-user at pve.proxmox.com)" <pve-user at pve.proxmox.com> 
Envoyé: Vendredi 1 Août 2014 17:20:13 
Objet: Re: about pve-firewall pending changes 




在 2014年8月1日，下午7:42，Alexandre DERUMIER < aderumier at odiso.com > 写道： 


That mean that proxmox try to apply rules, but it don't work. 

(maybe it's a bug in generated rules from proxmox). 

any logs in /var/log/daemon.log ? 


can you provide your vms,cluster and host config firewall config ? 



yes,the daemon.log link this: 
http://mirrors.myccdn.info/images/daemon.log 


It’s a cluster of host1 and host2, 


host1 - 


#cat host.fw 



[OPTIONS] 


log_level_in: nolog 
nf_conntrack_max: 663500 
nf_conntrack_tcp_timeout_established: 7875 
tcpflags: 1 


[RULES] 


IN ACCEPT -source +managenet 


host2 - 


#cat host.fw 



[OPTIONS] 


enable: 1 
nf_conntrack_max: 663500 
nf_conntrack_tcp_timeout_established: 7875 
log_level_out: nolog 
tcpflags: 1 
log_level_in: nolog 
tcp_flags_log_level: nolog 
smurf_log_level: nolog 


[RULES] 


IN ACCEPT -source +managenet 


100.fw , 103.fw in the host1 


# cat 100.fw 
[OPTIONS] 


enable: 1 


[RULES] 


IN ACCEPT -source +managenet 


# cat 103.fw 
[OPTIONS] 


enable: 1 
log_level_in: nolog 


[RULES] 


GROUP webserver 
IN ACCEPT -source +managenet 


102.fw in the host2 

# cat 102.fw 
[OPTIONS] 


log_level_in: nolog 
enable: 1 
policy_in: DROP 
log_level_out: nolog 


[RULES] 


GROUP webserver 
IN ACCEPT -source +managenet 


## cat cluster.fw 
[OPTIONS] 


enable: 1 


[IPSET managenet] 


10.0.0.0/8 
172.16.0.0/16 
192.168.0.0/16 
x.x.x.x 
#many ip for management use# 
n.n.n.n 


[RULES] 


IN ACCEPT -source +managenet 


[group webserver] 


IN HTTP(ACCEPT) 
IN HTTPS(ACCEPT) 



# pveversion -v 
proxmox-ve-2.6.32: 3.2-132 (running kernel: 2.6.32-31-pve) 
pve-manager: 3.2-18 (running version: 3.2-18/e157399a) 
pve-kernel-2.6.32-31-pve: 2.6.32-132 
lvm2: 2.02.98-pve4 
clvm: 2.02.98-pve4 
corosync-pve: 1.4.7-1 
openais-pve: 1.1.4-3 
libqb0: 0.11.1-2 
redhat-cluster-pve: 3.2.0-2 
resource-agents-pve: 3.9.2-4 
fence-agents-pve: 4.0.10-1 
pve-cluster: 3.0-14 
qemu-server: 3.1-28 
pve-firmware: 1.1-3 
libpve-common-perl: 3.0-19 
libpve-access-control: 3.0-15 
libpve-storage-perl: 3.0-21 
pve-libspice-server1: 0.12.4-3 
vncterm: 1.1-7 
vzctl: 4.0-1pve6 
vzprocps: 2.0.11-2 
vzquota: 3.1-2 
pve-qemu-kvm: 2.1-1 
ksm-control-daemon: 1.1-1 
glusterfs-client: 3.4.2-1