[PVE-User] pve-firewall and pptp
Gilberto Nunes
gilberto.nunes32 at gmail.com
Fri Mar 3 03:02:58 CET 2017
Hi
This is from PVE documents
The Proxmox VE firewall groups the network into the following logical zones:
Host
Traffic from/to a cluster node
VM
Traffic from/to a specific VM
For each zone, you can define firewall rules for incoming and/or outgoing
traffic.
Em 2 de mar de 2017 18:15, "Pavel Kolchanov" <pavel.kolchanov at gmail.com>
escreveu:
> Hello.
>
> I have enabled GRE and PPtP macro in firewall:
>
> cat /etc/pve/firewall/cluster.fw
> [OPTIONS]
>
> policy_in: REJECT
> enable: 1
>
> [RULES]
>
> GROUP vpn
> GROUP basic-node
>
> [group basic-node]
>
> IN Ping(ACCEPT)
> IN ACCEPT -p tcp -dport 8006 # Proxmox Web Interface
> IN ACCEPT -p tcp -dport 22444 # SSH
>
> [group vpn]
>
> OUT GRE(ACCEPT)
> IN GRE(ACCEPT)
> IN PPtP(ACCEPT)
>
> But still cannot connect to pptpd until executed following commands:
>
> iptables -I INPUT -p gre -j ACCEPT
> iptables -I OUTPUT -p gre -j ACCEPT
>
> Without these commands syslog tells:
> Mar 2 23:44:56 proxmox pppd[7824]: pppd 2.4.6 started by root, uid 0
> Mar 2 23:44:56 proxmox pppd[7824]: using channel 16
> Mar 2 23:44:56 proxmox pppd[7824]: Using interface ppp0
> Mar 2 23:44:56 proxmox pppd[7824]: Connect: ppp0 <--> /dev/pts/1
> Mar 2 23:44:56 proxmox pppd[7824]: sent [LCP ConfReq id=0x1 <asyncmap
> 0x0> <auth chap MS-v2> <magic 0x5aac399d> <pcomp> <accomp>]
> Mar 2 23:44:56 proxmox pptpd[7810]: GRE: xmit failed from decaps_hdlc:
> Operation not permitted
> Mar 2 23:44:56 proxmox pptpd[7810]: CTRL: PTY read or GRE write failed
> (pty,gre)=(6,7)
> Mar 2 23:44:56 proxmox pptpd[7810]: CTRL: Reaping child PPP[7824]
> Mar 2 23:44:56 proxmox pppd[7824]: Modem hangup
> Mar 2 23:44:56 proxmox pppd[7824]: Connection terminated.
>
> Can be PPTP properly configured via pve-firewall?
> Or those rules makes sense only for VM's, not nodes/cluster?
>
> --
> Pavel Kolchanov <pavel.kolchanov at gmail.com>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>
More information about the pve-user
mailing list