Hello,

When i have the ufw for the pve node active, the container is unable to apt-get update or any apt-get install. When I disable the ufw for the pve node, apt-get works very fine.

I want the ufw to be up and running to boost security. I have also tried to enable various ports in the pve node ufw but it doesnt seem to do any good.

Then you need to look up what ports/protocol are used in apt (apt-get) and temporarily open. https://superuser.com/questions/1207...to-get-updates

I guess your firewall could be a layer 7+ but that is a different deal.

I have tried opening port 53 but the issue is still there

If you're not going to show us anything concrete, there's no way anyone can help you. If you say you've opened port 53, then the answer is: then it should works and that's that.

Show us the current rules and the actual commands you've run, one after another, to actually understand what's going on.

sudo ufw enable //to enable the firewall for both the pve_node and the container

sudo ufw allow 53/tcp //to enable port 53 for both the pve_node and the container. Other ports open are http, https, ntp, ftp, 8006, 53

sudo ufw status [active] //when the pve_node ufw is active, I cannot update or install anything via apt-get on the LXC container. Container ID 100

sudo ufw status [disable] //when the pve_node ufw is disabled, I can apt-get update on the container and I can apt-get install on the container too

Is that a bit more clear!?

Yes, this is a bit clearer, now that you're unjustifiably annoyed. Now we see that you're trying to connect to DNS through TCP instead of UDP. DNS works mainly with UDP (and in special cases only with TCP).
But I guess I could see that only after you've pasted your commands, couldn't I?

$sudo ufw allow 53/udp //still does not work. apt-get update and apt-get install still dont work with this port allowed

Ok, so that means there are probably more things to fix.
What do the following commands show?

I think I just realized what the issue is. With proxmox (Proxmox Virtual Environment), the node is the one which feeds the host (container) with settings. Most of the settings from the container pick from the host node. As a security measure, the debian apt-get update URL is by default disabled in proxmox and updates are expected to be run from the GUI. So even from the node apt-get update runs a little and then hits an error. I am seeing that it may not have anything to do with the ports. But since it is a security measure that it is disabled by default, I am opting not to interfere with it. And also I won't be installing much via apt-get. When there is need I will just be doing a normal server upgrade / update and disabling UFW once in a while. There are other security variables I have set up, so it wont be too bad disabling it once in a while for maintenance

Hi,

I've used proxmox myself for some time and what you're saying cannot possibly be right, that they expect you to run the updates through the GUI. You run the updates through apt/apt-get on the command line. This is how it works. I don't think you actually can run them from the GUI at all, I'd be really curious to see how.

Are you maybe confusing the enterprise repository-related error with a security measure? By default proxmox enables these repositories to which you don't have accesss if you don't have a licence. You have to manually enable the no-subscription repository.

I don't think a security measure that denies access to updates through the command line while enabling them on the GUI makes much sense. If anything, it would be the opposite.

hehe you so serious man... the linux way is normally the calm way. I think its because with linux you just learn something new everyday, I don't think there is a linux professional out there who knows it all! Thanks though...

I've no idea what you're talking about, but I'd have preferred that you explained what you actually happened, instead of uttering clichés.