[PVE-User] pve-firewall and pptp

Gilberto Nunes gilberto.nunes32 at gmail.com
Fri Mar 3 03:02:58 CET 2017


Hi
This is from PVE documents

The Proxmox VE firewall groups the network into the following logical zones:
Host

Traffic from/to a cluster node
VM

Traffic from/to a specific VM

For each zone, you can define firewall rules for incoming and/or outgoing
traffic.

Em 2 de mar de 2017 18:15, "Pavel Kolchanov" <pavel.kolchanov at gmail.com>
escreveu:

> Hello.
>
> I have enabled GRE and PPtP macro in firewall:
>
> cat /etc/pve/firewall/cluster.fw
> [OPTIONS]
>
> policy_in: REJECT
> enable: 1
>
> [RULES]
>
> GROUP vpn
> GROUP basic-node
>
> [group basic-node]
>
> IN Ping(ACCEPT)
> IN ACCEPT -p tcp -dport 8006 # Proxmox Web Interface
> IN ACCEPT -p tcp -dport 22444 # SSH
>
> [group vpn]
>
> OUT GRE(ACCEPT)
> IN GRE(ACCEPT)
> IN PPtP(ACCEPT)
>
> But still cannot connect to pptpd until executed following commands:
>
> iptables -I INPUT -p gre -j ACCEPT
> iptables -I OUTPUT -p gre -j ACCEPT
>
> Without these commands syslog tells:
> Mar  2 23:44:56 proxmox pppd[7824]: pppd 2.4.6 started by root, uid 0
> Mar  2 23:44:56 proxmox pppd[7824]: using channel 16
> Mar  2 23:44:56 proxmox pppd[7824]: Using interface ppp0
> Mar  2 23:44:56 proxmox pppd[7824]: Connect: ppp0 <--> /dev/pts/1
> Mar  2 23:44:56 proxmox pppd[7824]: sent [LCP ConfReq id=0x1 <asyncmap
> 0x0> <auth chap MS-v2> <magic 0x5aac399d> <pcomp> <accomp>]
> Mar  2 23:44:56 proxmox pptpd[7810]: GRE: xmit failed from decaps_hdlc:
> Operation not permitted
> Mar  2 23:44:56 proxmox pptpd[7810]: CTRL: PTY read or GRE write failed
> (pty,gre)=(6,7)
> Mar  2 23:44:56 proxmox pptpd[7810]: CTRL: Reaping child PPP[7824]
> Mar  2 23:44:56 proxmox pppd[7824]: Modem hangup
> Mar  2 23:44:56 proxmox pppd[7824]: Connection terminated.
>
> Can be PPTP properly configured via pve-firewall?
> Or those rules makes sense only for VM's, not nodes/cluster?
>
> --
> Pavel Kolchanov <pavel.kolchanov at gmail.com>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>


More information about the pve-user mailing list