[SOLVED] Unable to ap-get when UFW is running on pve proxmox node
Linux - ContainersThis forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unable to ap-get when UFW is running on pve proxmox node
Hello,
When i have the ufw for the pve node active, the container is unable to apt-get update or any apt-get install. When I disable the ufw for the pve node, apt-get works very fine.
I want the ufw to be up and running to boost security. I have also tried to enable various ports in the pve node ufw but it doesnt seem to do any good.
If you're not going to show us anything concrete, there's no way anyone can help you. If you say you've opened port 53, then the answer is: then it should works and that's that.
Show us the current rules and the actual commands you've run, one after another, to actually understand what's going on.
If you're not going to show us anything concrete, there's no way anyone can help you. If you say you've opened port 53, then the answer is: then it should works and that's that.
Show us the current rules and the actual commands you've run, one after another, to actually understand what's going on.
sudo ufw enable //to enable the firewall for both the pve_node and the container
sudo ufw allow 53/tcp //to enable port 53 for both the pve_node and the container. Other ports open are http, https, ntp, ftp, 8006, 53
sudo ufw status [active] //when the pve_node ufw is active, I cannot update or install anything via apt-get on the LXC container. Container ID 100
sudo ufw status [disable] //when the pve_node ufw is disabled, I can apt-get update on the container and I can apt-get install on the container too
Yes, this is a bit clearer, now that you're unjustifiably annoyed. Now we see that you're trying to connect to DNS through TCP instead of UDP. DNS works mainly with UDP (and in special cases only with TCP).
But I guess I could see that only after you've pasted your commands, couldn't I?
Yes, this is a bit clearer, now that you're unjustifiably annoyed. Now we see that you're trying to connect to DNS through TCP instead of UDP. DNS works mainly with UDP (and in special cases only with TCP).
But I guess I could see that only after you've pasted your commands, couldn't I?
$sudo ufw allow 53/udp //still does not work. apt-get update and apt-get install still dont work with this port allowed
I think I just realized what the issue is. With proxmox (Proxmox Virtual Environment), the node is the one which feeds the host (container) with settings. Most of the settings from the container pick from the host node. As a security measure, the debian apt-get update URL is by default disabled in proxmox and updates are expected to be run from the GUI. So even from the node apt-get update runs a little and then hits an error. I am seeing that it may not have anything to do with the ports. But since it is a security measure that it is disabled by default, I am opting not to interfere with it. And also I won't be installing much via apt-get. When there is need I will just be doing a normal server upgrade / update and disabling UFW once in a while. There are other security variables I have set up, so it wont be too bad disabling it once in a while for maintenance
I've used proxmox myself for some time and what you're saying cannot possibly be right, that they expect you to run the updates through the GUI. You run the updates through apt/apt-get on the command line. This is how it works. I don't think you actually can run them from the GUI at all, I'd be really curious to see how.
Are you maybe confusing the enterprise repository-related error with a security measure? By default proxmox enables these repositories to which you don't have accesss if you don't have a licence. You have to manually enable the no-subscription repository.
I don't think a security measure that denies access to updates through the command line while enabling them on the GUI makes much sense. If anything, it would be the opposite.
I've used proxmox myself for some time and what you're saying cannot possibly be right, that they expect you to run the updates through the GUI. You run the updates through apt/apt-get on the command line. This is how it works. I don't think you actually can run them from the GUI at all, I'd be really curious to see how.
Are you maybe confusing the enterprise repository-related error with a security measure? By default proxmox enables these repositories to which you don't have accesss if you don't have a licence. You have to manually enable the no-subscription repository.
I don't think a security measure that denies access to updates through the command line while enabling them on the GUI makes much sense. If anything, it would be the opposite.
hehe you so serious man... the linux way is normally the calm way. I think its because with linux you just learn something new everyday, I don't think there is a linux professional out there who knows it all! Thanks though...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.