[pve-devel] applied: [PATCH firewall] fix #2721: remove reject tcp 43 from default drop and reject actions

[Fabian Grünbichler]

thanks!

On August 5, 2021 12:59 pm, Lorenz Stechauner wrote:
> first, '43' is a typo, it should say '113' (if it really is like
> legacy shorewall [0]). this tcp port corresponds to the ident or
> authentication service protocol.
> 
> second, nowdays this reject is not included in shorewall anymore.
> furthermore it would make no sense to reject specifically this
> one port.
> 
> [0] https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/action.Drop#L66
>     https://gitlab.com/shorewall/code/-/blob/4.6.13/Shorewall/Macros/macro.Auth
> 
> Signed-off-by: Lorenz Stechauner <l.stechauner at proxmox.com>
> ---
>  src/PVE/Firewall.pm | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
> index fc5c077..edc5336 100644
> --- a/src/PVE/Firewall.pm
> +++ b/src/PVE/Firewall.pm
> @@ -592,7 +592,6 @@ $pve_std_chains_conf->{4} = {
>  	# same as shorewall 'Drop', which is equal to DROP,
>  	# but REJECT/DROP some packages to reduce logging,
>  	# and ACCEPT critical ICMP types
> -	{ action => 'PVEFW-reject',  proto => 'tcp', dport => '43' }, # REJECT 'auth'
>  	# we are not interested in BROADCAST/MULTICAST/ANYCAST
>  	{ action => 'PVEFW-DropBroadcast' },
>  	# ACCEPT critical ICMP types
> @@ -615,7 +614,6 @@ $pve_std_chains_conf->{4} = {
>  	# same as shorewall 'Reject', which is equal to Reject,
>  	# but REJECT/DROP some packages to reduce logging,
>  	# and ACCEPT critical ICMP types
> -	{ action => 'PVEFW-reject',  proto => 'tcp', dport => '43' }, # REJECT 'auth'
>  	# we are not interested in BROADCAST/MULTICAST/ANYCAST
>  	{ action => 'PVEFW-DropBroadcast' },
>  	# ACCEPT critical ICMP types
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
> 
>