Diego A. Carrasco Gubernatis | Personal Website (Posts about SQLite)https://diegocarrasco.com/enContents © 2026 <a href="mailto:hi@diegocarrasco.com">Diego Carrasco G.</a> Sat, 11 Apr 2026 08:03:46 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rssHow to recover and update Proxmox 8 firewall configuration in SQLite when you locked yourself outhttps://diegocarrasco.com/regain-access-proxmox-firewall-misconfiguration/Diego Carrasco G.<figure><img src="https://diegocarrasco.com/images/social-images/regain-access-proxmox-firewall-misconfiguration.jpg"></figure> <h2 id="tldr">TLDR</h2> <p>The firewall config is not in <code>/etc/pve/firewall/cluster.fw</code> but in a SQLite Database in <code>/var/lib/pve-cluster/config.db</code>. You need to reboot your system into rescue mode, edit the value <code>enable: 1</code> to <code>enable: 0</code> and reboot into Proxmox.</p> <h2 id="context">Context</h2> <p>I made a noob mistake and locked myself out of my server. Luckily Hetzner allows me to reboot into rescue mode. This is what happened and how I managed to get my access back.</p> <p>In other words, this tutorial is for situations where you've accidentally locked yourself out of your Proxmox server due to a firewall misconfiguration (like I did). In my case, I enabled the firewall (<code>enable: 1</code>) with an incorrect configuration, preventing access to the server. The solution involves booting into a rescue system, mounting the Proxmox partition, and manually editing the firewall configuration in the SQLite database.</p> <h2 id="prerequisites">Prerequisites</h2> <ul> <li>Access to a rescue system (e.g., Hetzner Rescue System)</li> <li>Basic knowledge of Linux commands and SQLite, although you can copy and paste these commands and it should work.</li> </ul> <p><strong>Disclaimer</strong>: I am not responsible for data loss or anything else for that matter. The following commands worked for me and nothing bad happened. I out them here in case they help someone else, as I had to research a few hour before solving this (specially the issue of not finding the config).</p> <h3 id="step-1-boot-into-rescue-system">Step 1: Boot into Rescue System</h3> <p>Boot your server into the rescue system provided by your hosting provider (e.g., Hetzner Rescue System).</p> <h3 id="step-2-identify-the-proxmox-partition">Step 2: Identify the Proxmox Partition</h3> <p>Use the <code>lsblk</code> command to list all block devices:</p> <div class="code"><pre class="code literal-block">lsblk </pre></div> <p>Identify the partition where Proxmox is installed. It's often part of a RAID array or LVM setup.</p> <p>In my case the output was like this:</p> <div class="code"><pre class="code literal-block">loop0<span class="w"> </span><span class="m">7</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">3</span>.1G<span class="w"> </span><span class="m">1</span><span class="w"> </span>loop<span class="w"> </span> nvme1n1<span class="w"> </span><span class="m">259</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">476</span>.9G<span class="w"> </span><span class="m">0</span><span class="w"> </span>disk<span class="w"> </span> ├─nvme1n1p1<span class="w"> </span><span class="m">259</span>:1<span class="w"> </span><span class="m">0</span><span class="w"> </span>256M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part<span class="w"> </span> │<span class="w"> </span>└─md0<span class="w"> </span><span class="m">9</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">255</span>.9M<span class="w"> </span><span class="m">0</span><span class="w"> </span>raid1<span class="w"> </span> ├─nvme1n1p2<span class="w"> </span><span class="m">259</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span>1G<span class="w"> </span><span class="m">0</span><span class="w"> </span>part<span class="w"> </span> │<span class="w"> </span>└─md1<span class="w"> </span><span class="m">9</span>:1<span class="w"> </span><span class="m">0</span><span class="w"> </span>1022M<span class="w"> </span><span class="m">0</span><span class="w"> </span>raid1<span class="w"> </span> └─nvme1n1p3<span class="w"> </span><span class="m">259</span>:3<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">475</span>.7G<span class="w"> </span><span class="m">0</span><span class="w"> </span>part<span class="w"> </span> <span class="w"> </span>└─md2<span class="w"> </span><span class="m">9</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">475</span>.6G<span class="w"> </span><span class="m">0</span><span class="w"> </span>raid1<span class="w"> </span> <span class="w"> </span>├─vg0-root<span class="w"> </span><span class="m">253</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span>64G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span> <span class="w"> </span>├─vg0-swap<span class="w"> </span><span class="m">253</span>:1<span class="w"> </span><span class="m">0</span><span class="w"> </span>8G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span> <span class="w"> </span>└─vg0-data<span class="w"> </span><span class="m">253</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span>402G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span> nvme0n1<span class="w"> </span><span class="m">259</span>:4<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">476</span>.9G<span class="w"> </span><span class="m">0</span><span class="w"> </span>disk<span class="w"> </span> ├─nvme0n1p1<span class="w"> </span><span class="m">259</span>:5<span class="w"> </span><span class="m">0</span><span class="w"> </span>256M<span class="w"> </span><span class="m">0</span><span class="w"> </span>part<span class="w"> </span> │<span class="w"> </span>└─md0<span class="w"> </span><span class="m">9</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">255</span>.9M<span class="w"> </span><span class="m">0</span><span class="w"> </span>raid1<span class="w"> </span> ├─nvme0n1p2<span class="w"> </span><span class="m">259</span>:6<span class="w"> </span><span class="m">0</span><span class="w"> </span>1G<span class="w"> </span><span class="m">0</span><span class="w"> </span>part<span class="w"> </span> │<span class="w"> </span>└─md1<span class="w"> </span><span class="m">9</span>:1<span class="w"> </span><span class="m">0</span><span class="w"> </span>1022M<span class="w"> </span><span class="m">0</span><span class="w"> </span>raid1<span class="w"> </span> └─nvme0n1p3<span class="w"> </span><span class="m">259</span>:7<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">475</span>.7G<span class="w"> </span><span class="m">0</span><span class="w"> </span>part<span class="w"> </span> <span class="w"> </span>└─md2<span class="w"> </span><span class="m">9</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="m">475</span>.6G<span class="w"> </span><span class="m">0</span><span class="w"> </span>raid1<span class="w"> </span> <span class="w"> </span>├─vg0-root<span class="w"> </span><span class="m">253</span>:0<span class="w"> </span><span class="m">0</span><span class="w"> </span>64G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span> <span class="w"> </span>├─vg0-swap<span class="w"> </span><span class="m">253</span>:1<span class="w"> </span><span class="m">0</span><span class="w"> </span>8G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm<span class="w"> </span> <span class="w"> </span>└─vg0-data<span class="w"> </span><span class="m">253</span>:2<span class="w"> </span><span class="m">0</span><span class="w"> </span>402G<span class="w"> </span><span class="m">0</span><span class="w"> </span>lvm </pre></div> <p>There I saw that I should mount <code>vg0</code>, and that is was in a raid <code>md2</code></p> <h3 id="step-3-assemble-raid-array-if-applicable">Step 3: Assemble RAID Array (if applicable)</h3> <p>If your Proxmox partition is part of a RAID array, assemble it:</p> <div class="code"><pre class="code literal-block">mdadm<span class="w"> </span>--assemble<span class="w"> </span>--scan </pre></div> <h3 id="step-4-activate-volume-group">Step 4: Activate Volume Group</h3> <p>Activate the volume group (usually named <code>vg0</code> in Proxmox):</p> <div class="code"><pre class="code literal-block">vgchange<span class="w"> </span>-ay<span class="w"> </span>vg0 </pre></div> <h3 id="step-5-mount-the-proxmox-partition">Step 5: Mount the Proxmox Partition</h3> <p>Create a mount point and mount the Proxmox root partition:</p> <div class="code"><pre class="code literal-block">mkdir<span class="w"> </span>/mnt/proxmox mount<span class="w"> </span>/dev/vg0/root<span class="w"> </span>/mnt/proxmox </pre></div> <p>Verify the mount:</p> <div class="code"><pre class="code literal-block">ls<span class="w"> </span>/mnt/proxmox/ </pre></div> <p>Here you should see some files and directories.</p> <h3 id="step-6-locate-the-configuration-database">Step 6: Locate the Configuration Database</h3> <p>The Proxmox configuration is stored in an SQLite database. Locate it:</p> <div class="code"><pre class="code literal-block">ls<span class="w"> </span>-la<span class="w"> </span>/mnt/proxmox/var/lib/pve-cluster </pre></div> <p>You should see a file named <code>config.db</code>.</p> <h3 id="step-7-access-the-sqlite-database">Step 7: Access the SQLite Database</h3> <p>Open the SQLite database:</p> <div class="code"><pre class="code literal-block">sqlite3<span class="w"> </span>/mnt/proxmox/var/lib/pve-cluster/config.db </pre></div> <p><code>sqlite3</code> is already installed in the rescue system of Hetzner. You need to install it if it's not available in your system.</p> <h3 id="step-8-check-the-current-firewall-configuration">Step 8: Check the Current Firewall Configuration</h3> <p>View the current firewall configuration:</p> <div class="code"><pre class="code literal-block"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">tree</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'cluster.fw'</span><span class="p">;</span> </pre></div> <p><strong>Note</strong>: Initially I didn't know where this was, so I used the following to find where the entry was and if there was any.</p> <div class="code"><pre class="code literal-block"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">tree</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'cluster.fw'</span><span class="p">;</span> </pre></div> <h3 id="step-9-update-the-enable-option">Step 9: Update the <code>enable</code> Option</h3> <p>Change the <code>enable</code> option from <code>1</code> to <code>0</code> to disable the firewall:</p> <div class="code"><pre class="code literal-block"><span class="k">UPDATE</span><span class="w"> </span><span class="n">tree</span><span class="w"> </span> <span class="k">SET</span><span class="w"> </span><span class="k">data</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">replace</span><span class="p">(</span><span class="k">data</span><span class="p">,</span><span class="w"> </span><span class="s1">'enable: 1'</span><span class="p">,</span><span class="w"> </span><span class="s1">'enable: 0'</span><span class="p">)</span><span class="w"> </span> <span class="k">WHERE</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'cluster.fw'</span><span class="p">;</span> </pre></div> <h3 id="step-10-verify-the-change">Step 10: Verify the Change</h3> <p>Confirm that the change was made successfully:</p> <div class="code"><pre class="code literal-block"><span class="k">SELECT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="k">FROM</span><span class="w"> </span><span class="n">tree</span><span class="w"> </span><span class="k">WHERE</span><span class="w"> </span><span class="n">name</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s1">'cluster.fw'</span><span class="p">;</span> </pre></div> <h3 id="step-11-exit-sqlite">Step 11: Exit SQLite</h3> <p>Exit the SQLite prompt:</p> <div class="code"><pre class="code literal-block"><span class="p">.</span><span class="n">quit</span> </pre></div> <h3 id="step-12-unmount-and-reboot">Step 12: Unmount and Reboot</h3> <p>Unmount the Proxmox partition and reboot the server:</p> <div class="code"><pre class="code literal-block">umount<span class="w"> </span>/mnt/proxmox reboot </pre></div> <h3 id="important-notes">Important Notes</h3> <ul> <li><strong>Disabling the Firewall:</strong> This process disables the firewall cluster-wide. Re-enable it after properly configuring it once you regain access.</li> <li><strong>Security Risks:</strong> A disabled firewall may expose your system to security risks. You have been warned.</li> <li><strong>Backup:</strong> Always create backups before making significant changes. I have my proxmox configs in a git repository for reference.</li> <li><strong>Alternative Methods:</strong> When possible, use the Proxmox web interface or CLI tools for configuration changes. At least that's what I've read. I like to use config files, but I also locked myself out of my server. </li> </ul> <h2 id="references">References</h2> <p>Several sites, but I cannot longer remember all of them.</p> <p>Some of the sites I visited are:</p> <ul> <li>https://forum.proxmox.com/threads/ssh-connection-no-web-interface.110702/</li> <li>https://www.reddit.com/r/Proxmox/comments/13hyn0y/how_to_secure_proxmox_web_ui/</li> <li>https://eulenfunk.readthedocs.io/en/stable/supernode01.html</li> <li>and many more ...</li> </ul>FirewalllinuxLVMProxmoxRAIDRescue SystemSQLiteregain-access-proxmox-firewall-misconfigurationFri, 27 Sep 2024 07:00:00 GMT